Closed
Bug 638018
(CVE-2011-2377)
Opened 14 years ago
Closed 14 years ago
[1.9.2] crash [@ ycc_rgb_convert] on image with src set to a resource with multipart/x-mixed-replace content type
Categories
(Core :: General, defect)
Tracking
()
People
(Reporter: jordi.chancel, Assigned: joe)
References
()
Details
(Keywords: reporter-external, verified1.9.2, Whiteboard: [sg:critical?])
Attachments
(1 file, 2 obsolete files)
|
105.60 KB,
image/png
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; fr; rv:1.9.2.14) Gecko/20110218 Firefox/3.6.14
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; fr; rv:1.9.2.14) Gecko/20110218 Firefox/3.6.14
Visiting a webpage that contains multiple images with the src-attribute that refers to a multipart/x-mixed-replace resource , Firefox 3.6.14 on windows crashes after some time with [Access_Violation_Write].
Tested on Windows 7
Reproducible: Always
Steps to Reproduce:
1. Visit test page
2. wait a few moments
Actual Results:
Firefox crashes
Expected Results:
Firefox don't crash
Like bug 610601 , This crash is very intermittent , sometimes firefox will crash after some seconds , and sometimes firefox don't crash at all.
| Reporter | ||
Comment 1•14 years ago
|
||
| Reporter | ||
Comment 2•14 years ago
|
||
Comment 3•14 years ago
|
||
Jordi, can you reproduce this with a 4.0 beta build? No crash here...
| Reporter | ||
Comment 4•14 years ago
|
||
Firefox 4.0 beta build don't crash.
But multiple crash report have been sent for 3.6.14.
https://crash-stats.mozilla.com/report/index/bp-220402bb-ccd7-4f1f-aaa4-57a4d2110217
https://crash-stats.mozilla.com/report/list?range_value=2&range_unit=weeks&date=2011-03-03%2002%3A00%3A00&signature=ycc_rgb_convert&version=Firefox%3A3.6.14
I will retry with 3.6.14
| Reporter | ||
Comment 5•14 years ago
|
||
Mozilla Firefox 3.6.14 crash again.
Please try with Mozilla Firefox 3.6.14
| Reporter | ||
Comment 6•14 years ago
|
||
(Please try with Mozilla Firefox 3.6.14 on Windows) no tested on Mac OS , linux or Solaris...
Updated•14 years ago
|
Status: UNCONFIRMED → NEW
blocking1.9.2: --- → ?
blocking2.0: --- → -
status1.9.2:
--- → wanted
status2.0:
--- → unaffected
Ever confirmed: true
Whiteboard: [sg:critical?]
Version: unspecified → 1.9.2 Branch
Comment 7•14 years ago
|
||
Crash-stats for this stack (see comment 4) look scary exploitable. Have not been able to repro myself, but socorro shows there's a real problem here somewhere.
| Reporter | ||
Comment 8•14 years ago
|
||
The crash is very intermittent , go to http://81.248.6.194/ and wait .
Comment 9•14 years ago
|
||
Yeah, I can repro on Linux64 debug but it takes about 30 minutes each time.
GDB tells me this is an optimized image, as in bug 610601.
It's hard to debug because of the setjmp/longjmp error handling...
Assignee: nobody → matspal
OS: Windows 7 → All
Hardware: x86 → All
| Reporter | ||
Updated•14 years ago
|
Summary: Firefox 3.6.14 crash [@ ycc_rgb_convert] on image with src set to a resource with multipart/x-mixed-replace content type(windows) (Possible regression?) → Firefox 3.6.14 crash [@ ycc_rgb_convert] on image with src set to a resource with multipart/x-mixed-replace content type (Possible regression?)
| Reporter | ||
Comment 10•14 years ago
|
||
that's the image that crashes mozilla firefox
| Reporter | ||
Updated•14 years ago
|
Attachment #518429 -
Attachment is obsolete: true
| Reporter | ||
Comment 11•14 years ago
|
||
Not Fixed for 3.6.16?
Comment 12•14 years ago
|
||
Let's see if the patch in bug 639303 fixes this.
Comment 13•14 years ago
|
||
This doesn't happen _as_much_ in Firefox 4.0, but I do see a couple stacks that are the same as the scary one here.
bp-d0989164-0b9d-4543-a379-a3deb2110331
bp-082ded3e-ff20-4260-94ed-fd20b2110330
This is essentially a dupe of bug 557107 but we might as well work on it in this bug that's already appropriately marked and hidden. Also this one links to a testcase that at least the reporter can reproduce with, even if we can't.
(In reply to comment #12)
> Let's see if the patch in bug 639303 fixes this.
That seems to be a completely different stack and a more reproducible case. In any case it's going to be hard to see if bug 639303 fixes this because even Jordi has trouble reproducing this on mozilla-central nightlies.
blocking2.0: - → ?
| Reporter | ||
Comment 14•14 years ago
|
||
I will retry with 4.0
Comment 15•14 years ago
|
||
The fix in bug 639303 has not landed yet. At this point you'll only be testing how hard it is to reproduce on 4.0.
Updated•14 years ago
|
blocking2.0: ? → .x+
| Reporter | ||
Comment 16•14 years ago
|
||
http://meteoaragon.blogspot.com/ crash sometime more quickly .
Comment 17•14 years ago
|
||
bug 639303 landed on 6.0a1 Nightlies last week and in Fx5 ("Aurora") 5/15. Does it still reproduce in a current Aurora build?
https://www.mozilla.com/firefox/channel/
Updated•14 years ago
|
tracking-firefox5:
--- → +
Depends on: 639303
Whiteboard: [sg:critical?] → [sg:critical?] fixed by 639303?
| Reporter | ||
Comment 18•14 years ago
|
||
Aurora build don't crash. FIXED?
Comment 19•14 years ago
|
||
It still crashes on the 1.9.2 branch. Unfortunately the fix for bug 639303
doesn't apply on 1.9.2 or older. Let's use this bug to handle 1.9.2 and
older branches and 639303 handle 2.0 and newer.
Whiteboard: [sg:critical?] fixed by 639303? → [sg:critical?]
Updated•14 years ago
|
status-firefox5:
--- → unaffected
tracking-firefox5:
+ → ---
Updated•14 years ago
|
blocking1.9.2: needed → .18+
Updated•14 years ago
|
Whiteboard: [sg:critical?] → [sg:critical?] fixed on trunk in 639303
Updated•14 years ago
|
status-firefox6:
--- → fixed
Summary: Firefox 3.6.14 crash [@ ycc_rgb_convert] on image with src set to a resource with multipart/x-mixed-replace content type (Possible regression?) → [1.9.2] crash [@ ycc_rgb_convert] on image with src set to a resource with multipart/x-mixed-replace content type
| Reporter | ||
Updated•14 years ago
|
Updated•14 years ago
|
status-firefox7:
--- → fixed
tracking-firefox5:
--- → -
tracking-firefox6:
--- → -
tracking-firefox7:
--- → -
| Reporter | ||
Comment 21•14 years ago
|
||
Fixed for the next release?
Comment 22•14 years ago
|
||
mats, we need to get this fixed on 1.9.2 ASAP as we will disclose it when we ship Fx5
Comment 23•14 years ago
|
||
I tried to reproduce this for about an hour without any crash occurring.
http://81.248.6.194/ - connection times out
http://www.sdj-airport.com/live/ - connection times out
http://meteoaragon.blogspot.com/ - responds, but is very slow
I don't think it's meaningful for me to work on this bug without
steps to reproduce that will cause crashes.
Assignee: matspal → nobody
Keywords: testcase-wanted
Comment 24•14 years ago
|
||
(In reply to comment #23)
> http://www.sdj-airport.com/live/ - connection times out
The Sendai airport was hit by the Japanese tsunami.
Comment 25•14 years ago
|
||
I reproduced on Mac:
https://crash-stats.mozilla.com/report/index/bp-3716d07f-ae97-417c-8208-3db4a2110610
Loading (had to reload a couple of times to get the image to work):
http://meteoaragon.blogspot.com/2009/05/http2bpblogspotcomrvky0yt28sfnmfwqa4iaa.html
Comment 26•14 years ago
|
||
Reproduced on XP SP3 with last night's 1.9.2.18pre build within three minutes:
https://crash-stats.mozilla.com/report/index/4b3985a5-5917-422d-8f66-2feba2110610
Using http://meteoaragon.blogspot.com
Comment 27•14 years ago
|
||
Only thing different Dan and I did was disable the flash plugin to make things not pull in Flash data.
Comment 28•14 years ago
|
||
meteoaragon.blogspot.com still crashes for me, takes < 3minutes to cycle through the images and hit the bad one on WinXP
bp-76f20d09-4e44-4703-a918-0a4ff2110610
bp-34343f1c-ef08-4d4e-aa17-1a5112110610
bp-3246c590-a19a-46fa-9726-825452110610
Updated•14 years ago
|
Assignee: nobody → joe
Comment 29•14 years ago
|
||
I made a testcase that does multipart/x-mixed-replace on an alternating pair of images. You can only hit it from the MV Office VPN, though:
http://bsterne.mv.mozilla.com/test/scratch/multipart.php
Comment 30•14 years ago
|
||
I haven't observed any crashes with the URL in comment 29, but perhaps the testcase needs to do something more complex than alternate between two images?
Comment 31•14 years ago
|
||
This bug qualifies for the security bug bounty
| Reporter | ||
Updated•14 years ago
|
| Assignee | ||
Comment 32•14 years ago
|
||
This bug is a duplicate of bug 524921, which we, for unfathomable reasons, thought did not apply to 1.9.2.
Whiteboard: [sg:critical?] fixed on trunk in 639303 → [sg:critical?]
Updated•14 years ago
|
Depends on: CVE-2010-1201
| Assignee | ||
Comment 33•14 years ago
|
||
I ported the patch from bug 524921 to 1.9.2 (trivial port).
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/b55ede4eaf22
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
Comment 34•14 years ago
|
||
Verified for 1.9.2.18 (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18) Gecko/20110613 Firefox/3.6.18). The test page no longer crashes.
Keywords: verified1.9.2
| Reporter | ||
Comment 35•14 years ago
|
||
| Reporter | ||
Updated•14 years ago
|
Attachment #539135 -
Attachment mime type: text/plain → text/html
| Reporter | ||
Comment 36•14 years ago
|
||
http://meteoaragon.blogspot.com/2009/05/http2bpblogspotcomrvky0yt28sfnmfwqa4iaa.html is sometime 404
but i have a new testcase ( crash < 1 min )!
| Reporter | ||
Updated•14 years ago
|
Attachment #539135 -
Attachment is obsolete: true
| Reporter | ||
Comment 37•14 years ago
|
||
what is the CVE id?
| Reporter | ||
Comment 38•14 years ago
|
||
No CVE for this Issue?
the fix release is for today isn't it?
Comment 39•14 years ago
|
||
Updated•14 years ago
|
Alias: CVE-2011-2377
Updated•14 years ago
|
Group: core-security
Comment 40•14 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.20) Gecko/20110803 Firefox/3.6.20
Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Mozilla/5.0 (Windows NT 6.1; rv:9.0a1) Gecko/20110818 Firefox/9.0a1
So this issue was fixed?
I can't reproduce it, Firefox doesn't crash!
Thanks.
Updated•12 years ago
|
Flags: sec-bounty+
Updated•10 years ago
|
Keywords: testcase-wanted
Updated•11 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•