Closed Bug 671741 Opened 14 years ago Closed 9 years ago

Firefox 5.0 crash trying get address of method from vtable

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
5 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: vulnerable.zappa, Unassigned)

Details

(Keywords: crash, crashreportid, Whiteboard: dupeme)

Crash Data

Attachments

(1 file)

repro
865 bytes, application/octet-stream
Details
In a moment of crash firefox trying get address of method from vtable of some object but this object dosent exist because it is "freeing" when we close the tab and pointer of this object become a null pointer ;> I trying get controll over this pointer but i cant , so i thing is just another "unexploitable" crash But in other hand if you can make sytuation where this pointer not become 'null pointer' after "free" and will be point to memmory region that you controll then you have pure RCE
Attached file repro
Crash Signature: Firefox 5.0 crash when attempting to read invalid memory address
Component: General → Security
QA Contact: general → firefox
Version: unspecified → 5 Branch
Don't set the milestone please, that gets set when a patch is checked in
Target Milestone: Firefox 5 → ---
Severity: normal → critical
Keywords: crash
Summary: Firefox 5.0 crash → Firefox 5.0 crash trying get address of method from vtable
Whiteboard: dupeme
Mozilla/5.0 (Windows NT 5.1; rv:8.0a1) Gecko/20110815 Firefox/8.0a1 I cannot reproduce the issue. If Firefox crashes,please post the crash report ID from about:crashes. I am setting the resolution to RESOLVED WORKSFORME. Thanks!
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
try with disabled popup-blockers firefox 5.0.1 is affected t oo crash report for firefox 5.0.1 https://crash-stats.mozilla.com/report/index/703a1eb1-2d64-4df2-9372-6ec222110816
Status: RESOLVED → UNCONFIRMED
Crash Signature: [@ nsGlobalWindow::GetLocalStorage(nsIDOMStorage**) ]
Keywords: crashreportid
Resolution: WORKSFORME → ---
echo -> Is this still reproducible with Firefox 11? If so, can you provide a recent crash id?
Crash Signature: [@ nsGlobalWindow::GetLocalStorage(nsIDOMStorage**) ] → [@ nsGlobalWindow::GetLocalStorage(nsIDOMStorage**) ] [@ nsGlobalWindow::GetLocalStorage ]
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago9 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: