Closed Bug 674042 (CVE-2011-2989) Opened 14 years ago Closed 14 years ago

WebGL: crash in getUniformLocation with too long uniform identifiers

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Version:
5 Branch
Platform:
All
Other
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla8
Tracking Flags:
Tracking Status
firefox6 --- fixed
firefox7 --- fixed
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: aral, Assigned: bjacob)

References

(
URL
)

Details

(Keywords: reporter-external, verified-beta, Whiteboard: [sg:vector-critical?][qa!])

Attachments

(2 files)

poc1.html.zip
39.27 KB, application/java-archive
Details
limit GLSL identifiers length
3.51 KB, patch
jrmuizel
: review+
christian
: approval-mozilla-aurora+
christian
: approval-mozilla-beta+
Details | Diff | Splinter Review
Attached file poc1.html.zip
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0.1) Gecko/20100101 Firefox/5.0.1 Build ID: 20110707182747 Steps to reproduce: I played arround with webgl and suddenly my browser crashed. If the string parameter is too long in the function getUniformLocation the browser is going to crash. I created a poc... Actual results: The browser crashed
Component: General → Canvas: WebGL
Product: Firefox → Core
QA Contact: general → canvas.webgl
Attachment #548271 - Attachment mime type: application/octet-stream → application/java-archive
Benoit: please investigate this crash to see if it's potentially exploitable.
Assignee: nobody → bjacob
Aral: can you please go to about:crashes and paste here a crash link? I need at least to know if it's a driver crash or a crash in our code. And as Daniel say, we need to know if it's exploitable. All of that should be easy to know once we have a crash link.
Note: no crash here on Linux x86-64, NVIDIA.
Can you also please try with Nightly to see if the crash persists. http://nightly.mozilla.org/
This really looks like a driver issue, so can you please go to about:support and paste here the contents of the Graphics section. Also, if you can spend some more time helping us, can you please bisect on the length of the uniform identifier string, to find out what is the minimum string length that makes it crash.
Karten-Beschreibung0x21a00,0x20400Vendor-ID0000Geräte-ID0000Karten-RamKarten-TreiberTreiber-VersionTreiber-DatumDirect2D aktiviertfalseDirectWrite aktiviertfalseWebGL-RendererATI Technologies Inc. -- ATI Radeon HD 4670 OpenGL Engine -- 2.1 ATI-1.6.36GPU-beschleunigte Fenster2/2 OpenGL
If I click in about:crashed in any link I get a page not found page :( so can not paste a reported link
about:crashes, with a 's' :-) Thans for the about:support.
I typed about:crashes: And then I have some links like: 01894B2C-F774-4062-9580-E098D46B1863 or bp-1e490885-33f1-43ed-961b-eeda52100601 But if I click on it I get page not found! :(
I can reproduce the crash on a Mac with a NVIDIA card, on current Nightly. Unfortunately I can't submit crash reports at the moment, there seems to be a problem with the crash server.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Aral: next time you get this crash try putting some text in the comment field of the crash reporter -- that raises the priority for processing so hopefully the next one won't get lost. We do have a known problem where crash stacks due to out of memory sometimes can't be captured/submitted
I can't send a crash report because there is something wrong with the crashreport server... :( But I try to post a stach trace from my mac: __evaluation_cases_00000000_html.crashlog.txt JamaLs-iMac:crashlogs jamal$ cat __evaluation_cases_00000000_html.crashlog.txt exception=EXC_BAD_ACCESS:signal=Segmentation fault:is_exploitable= no:instruction_disassembly=callqCONSTANT:instruction_address=0x00007fff801acc33:access_type=recursion:access_address=0x00007fff5d8fc1b8: Crash accessing invalid address. Consider running it again with libgmalloc(3) to see if the log changes. Process: firefox-bin [974] Path: /Applications/Firefox.app/Contents/MacOS/firefox-bin Identifier: org.mozilla.firefox Version: 5.0.1 (5.0.1) Code Type: X86-64 (Native) Parent Process: exc_handler [972] Date/Time: 2011-07-25 23:01:16.672 +0200 OS Version: Mac OS X 10.6.8 (10K540) Report Version: 6 Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_PROTECTION_FAILURE at 0x00007fff5d8fc1b8 Crashed Thread: 0 Thread 0 Crashed: 0 libGLProgrammability.dylib 0x00007fff801acc33 BindingTable::FindClientBindableUniformBindingLocationByName(char const*) + 297 1 libGLProgrammability.dylib 0x00007fff801ac8d4 ShGetUniformLocation + 92 2 GLEngine 0x0000000115b2c819 glGetUniformLocationARB_Exec + 137 3 XUL 0x00000001004aba8b mozilla::layers::ReadbackSink::~ReadbackSink() + 2151899 4 XUL 0x0000000100a3cfbb xpc_LocalizeContext(JSContext*) + 655771 5 XUL 0x000000010109bdea JS_HashTableRemove + 47994 6 XUL 0x00000001010ac7bf JS_HashTableRemove + 116047 7 XUL 0x00000001010aea26 JS_HashTableRemove + 124854 8 XUL 0x00000001010af171 JS_HashTableRemove + 126721 9 XUL 0x0000000101020531 JS_CallFunctionValue + 65 10 XUL 0x00000001006141e5 mozilla::layers::ReadbackSink::~ReadbackSink() + 3628341 11 XUL 0x0000000100663c56 mozilla::layers::ReadbackSink::~ReadbackSink() + 3954598 12 XUL 0x00000001004b536e mozilla::layers::ReadbackSink::~ReadbackSink() + 2191038 13 XUL 0x00000001004b5a54 mozilla::layers::ReadbackSink::~ReadbackSink() + 2192804 14 XUL 0x00000001004d31cb mozilla::layers::ReadbackSink::~ReadbackSink() + 2313499 15 XUL 0x00000001004d3d65 mozilla::layers::ReadbackSink::~ReadbackSink() + 2316469 16 XUL 0x00000001001f521a mozilla::layers::LayerUserData::~LayerUserData() + 257386 17 XUL 0x0000000100a82256 js::JSProxyHandler::isOuterWindow() + 89510 18 XUL 0x0000000100a86c5b js::JSProxyHandler::isOuterWindow() + 108459 19 XUL 0x0000000100a9b61e js::JSProxyHandler::isOuterWindow() + 192878 20 XUL 0x0000000100a9df29 js::JSProxyHandler::isOuterWindow() + 203385 21 XUL 0x0000000100a9e2eb js::JSProxyHandler::isOuterWindow() + 204347 22 XUL 0x000000010004518a catch_exception_raise + 120810 23 XUL 0x0000000100407595 mozilla::layers::ReadbackSink::~ReadbackSink() + 1478885 24 XUL 0x0000000100407c57 mozilla::layers::ReadbackSink::~ReadbackSink() + 1480615 25 XUL 0x0000000100410e4f mozilla::layers::ReadbackSink::~ReadbackSink() + 1517983 26 XUL 0x0000000100e2b1d3 XRE_AddStaticComponent + 27731 27 XUL 0x0000000100de762e nsPrintSession::Release() + 1133886 28 XUL 0x0000000100cc569d JSD_DebuggerOnForUser + 1099133 29 XUL 0x0000000100c90ee7 JSD_DebuggerOnForUser + 884167 30 com.apple.CoreFoundation 0x00007fff853e3401 __CFRunLoopDoSources0 + 1361 31 com.apple.CoreFoundation 0x00007fff853e15f9 __CFRunLoopRun + 873 32 com.apple.CoreFoundation 0x00007fff853e0dbf CFRunLoopRunSpecific + 575 33 com.apple.HIToolbox 0x00007fff845847ee RunCurrentEventLoopInMode + 333 34 com.apple.HIToolbox 0x00007fff84584551 ReceiveNextEventCommon + 148 35 com.apple.HIToolbox 0x00007fff845844ac BlockUntilNextEventMatchingListInMode + 59 36 com.apple.AppKit 0x00007fff884f7eb2 _DPSNextEvent + 708 37 com.apple.AppKit 0x00007fff884f7801 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 155 38 com.apple.AppKit 0x00007fff884bd68f -[NSApplication run] + 395 39 XUL 0x0000000100c907ad JSD_DebuggerOnForUser + 882317 40 XUL 0x0000000100b010b4 js::JSProxyHandler::isOuterWindow() + 609284 41 XUL 0x0000000100016940 XRE_main + 11984 42 org.mozilla.firefox 0x0000000100000af7 start + 471 43 org.mozilla.firefox 0x0000000100000954 start + 52 Thread 1: 0 libSystem.B.dylib 0x00007fff878e0c0a kevent + 10 1 libSystem.B.dylib 0x00007fff878e2add _dispatch_mgr_invoke + 154 2 libSystem.B.dylib 0x00007fff878e27b4 _dispatch_queue_invoke + 185 3 libSystem.B.dylib 0x00007fff878e22de _dispatch_worker_thread2 + 252 4 libSystem.B.dylib 0x00007fff878e1c08 _pthread_wqthread + 353 5 libSystem.B.dylib 0x00007fff878e1aa5 start_wqthread + 13 Thread 2: 0 libSystem.B.dylib 0x00007fff878c7d7a mach_msg_trap + 10 1 libSystem.B.dylib 0x00007fff878c83ed mach_msg + 59 2 XUL 0x000000010002818f catch_exception_raise + 2031 3 libSystem.B.dylib 0x00007fff87900fd6 _pthread_start + 331 4 libSystem.B.dylib 0x00007fff87900e89 thread_start + 13 Thread 3: 0 libSystem.B.dylib 0x00007fff878e1a2a __workq_kernreturn + 10 1 libSystem.B.dylib 0x00007fff878e1e3c _pthread_wqthread + 917 2 libSystem.B.dylib 0x00007fff878e1aa5 start_wqthread + 13 Thread 4: 0 libSystem.B.dylib 0x00007fff878e0c0a kevent + 10 1 XUL 0x0000000100e5371e nsXPTCStubBase::Stub249() + 94062 2 XUL 0x0000000100e51a09 nsXPTCStubBase::Stub249() + 86617 3 XUL 0x0000000100e63c16 nsXPTCStubBase::Stub249() + 160870 4 XUL 0x0000000100e59669 nsXPTCStubBase::Stub249() + 118457 5 XUL 0x0000000100e5ee73 nsXPTCStubBase::Stub249() + 140995 6 XUL 0x0000000100e6426a nsXPTCStubBase::Stub249() + 162490 7 libSystem.B.dylib 0x00007fff87900fd6 _pthread_start + 331 8 libSystem.B.dylib 0x00007fff87900e89 thread_start + 13 Thread 5: 0 libSystem.B.dylib 0x00007fff87902a6a __semwait_signal + 10 1 libSystem.B.dylib 0x00007fff87906881 _pthread_cond_wait + 1286 2 libnspr4.dylib 0x0000000101ae84cc PR_WaitCondVar + 268 3 XUL 0x0000000100e3a2e9 NS_CycleCollectorSuspect2_P + 8729 4 XUL 0x0000000100e2b1d3 XRE_AddStaticComponent + 27731 5 XUL 0x0000000100de7549 nsPrintSession::Release() + 1133657 6 XUL 0x0000000100e2af2d XRE_AddStaticComponent + 27053 7 libnspr4.dylib 0x0000000101aedb9e PR_JoinThread + 318 8 libSystem.B.dylib 0x00007fff87900fd6 _pthread_start + 331 9 libSystem.B.dylib 0x00007fff87900e89 thread_start + 13 Thread 6: 0 libSystem.B.dylib 0x00007fff87902a6a __semwait_signal + 10 1 libSystem.B.dylib 0x00007fff87906881 _pthread_cond_wait + 1286 2 libnspr4.dylib 0x0000000101ae770b PRP_NakedNotify + 203 3 libnspr4.dylib 0x0000000101ae842d PR_WaitCondVar + 109 4 XUL 0x0000000100e2f64a XRE_AddStaticComponent + 45258 5 XUL 0x0000000100e2b1d3 XRE_AddStaticComponent + 27731 6 XUL 0x0000000100de7549 nsPrintSession::Release() + 1133657 7 XUL 0x0000000100e2af2d XRE_AddStaticComponent + 27053 8 libnspr4.dylib 0x0000000101aedb9e PR_JoinThread + 318 9 libSystem.B.dylib 0x00007fff87900fd6 _pthread_start + 331 10 libSystem.B.dylib 0x00007fff87900e89 thread_start + 13 Thread 7: 0 libSystem.B.dylib 0x00007fff8790b932 select$DARWIN_EXTSN + 10 1 libnspr4.dylib 0x0000000101aeed7b PR_Now + 1419 2 libnspr4.dylib 0x0000000101ae9f61 PR_Poll + 465 3 XUL 0x000000010005c1a7 catch_exception_raise + 215047 4 XUL 0x000000010005cfd9 catch_exception_raise + 218681 5 XUL 0x000000010005d51d catch_exception_raise + 220029 6 XUL 0x0000000100e2b0c7 XRE_AddStaticComponent + 27463 7 XUL 0x0000000100de7549 nsPrintSession::Release() + 1133657 8 XUL 0x000000010005cb66 catch_exception_raise + 217542 9 XUL 0x0000000100e2b1d3 XRE_AddStaticComponent + 27731 10 XUL 0x0000000100de7549 nsPrintSession::Release() + 1133657 11 XUL 0x0000000100e2af2d XRE_AddStaticComponent + 27053 12 libnspr4.dylib 0x0000000101aedb9e PR_JoinThread + 318 13 libSystem.B.dylib 0x00007fff87900fd6 _pthread_start + 331 14 libSystem.B.dylib 0x00007fff87900e89 thread_start + 13 Thread 8: 0 libSystem.B.dylib 0x00007fff87902a6a __semwait_signal + 10 1 libSystem.B.dylib 0x00007fff87906881 _pthread_cond_wait + 1286 2 libnspr4.dylib 0x0000000101ae84cc PR_WaitCondVar + 268 3 XUL 0x00000001010815b7 js::GCHelperThread::replenishAndFreeLater(void*) + 535 4 libnspr4.dylib 0x0000000101aedb9e PR_JoinThread + 318 5 libSystem.B.dylib 0x00007fff87900fd6 _pthread_start + 331 6 libSystem.B.dylib 0x00007fff87900e89 thread_start + 13 Thread 9: 0 libSystem.B.dylib 0x00007fff87902a6a __semwait_signal + 10 1 libSystem.B.dylib 0x00007fff87906881 _pthread_cond_wait + 1286 2 libnspr4.dylib 0x0000000101ae770b PRP_NakedNotify + 203 3 libnspr4.dylib 0x0000000101ae842d PR_WaitCondVar + 109 4 XUL 0x000000010099ace9 DumpJSValue + 113721 5 libnspr4.dylib 0x0000000101aedb9e PR_JoinThread + 318 6 libSystem.B.dylib 0x00007fff87900fd6 _pthread_start + 331 7 libSystem.B.dylib 0x00007fff87900e89 thread_start + 13 Thread 10: 0 libSystem.B.dylib 0x00007fff878e1a2a __workq_kernreturn + 10 1 libSystem.B.dylib 0x00007fff878e1e3c _pthread_wqthread + 917 2 libSystem.B.dylib 0x00007fff878e1aa5 start_wqthread + 13 Thread 11: 0 libSystem.B.dylib 0x00007fff87902a6a __semwait_signal + 10 1 libSystem.B.dylib 0x00007fff87906881 _pthread_cond_wait + 1286 2 libnspr4.dylib 0x0000000101ae770b PRP_NakedNotify + 203 3 libnspr4.dylib 0x0000000101ae842d PR_WaitCondVar + 109 4 libnspr4.dylib 0x0000000101ae8537 PR_Wait + 71 5 XUL 0x0000000100e2d29e XRE_AddStaticComponent + 36126 6 XUL 0x0000000100e2b1d3 XRE_AddStaticComponent + 27731 7 XUL 0x0000000100de7549 nsPrintSession::Release() + 1133657 8 XUL 0x0000000100e2af2d XRE_AddStaticComponent + 27053 9 libnspr4.dylib 0x0000000101aedb9e PR_JoinThread + 318 10 libSystem.B.dylib 0x00007fff87900fd6 _pthread_start + 331 11 libSystem.B.dylib 0x00007fff87900e89 thread_start + 13 Thread 12: 0 libSystem.B.dylib 0x00007fff87902a6a __semwait_signal + 10 1 libSystem.B.dylib 0x00007fff87906881 _pthread_cond_wait + 1286 2 libnspr4.dylib 0x0000000101ae84cc PR_WaitCondVar + 268 3 libnspr4.dylib 0x0000000101ae8537 PR_Wait + 71 4 XUL 0x0000000100e29ca8 XRE_AddStaticComponent + 22312 5 XUL 0x0000000100e2b1b1 XRE_AddStaticComponent + 27697 6 XUL 0x0000000100de7549 nsPrintSession::Release() + 1133657 7 XUL 0x0000000100e2af2d XRE_AddStaticComponent + 27053 8 libnspr4.dylib 0x0000000101aedb9e PR_JoinThread + 318 9 libSystem.B.dylib 0x00007fff87900fd6 _pthread_start + 331 10 libSystem.B.dylib 0x00007fff87900e89 thread_start + 13 Thread 13: 0 libSystem.B.dylib 0x00007fff87902a6a __semwait_signal + 10 1 libSystem.B.dylib 0x00007fff87906881 _pthread_cond_wait + 1286 2 libnspr4.dylib 0x0000000101ae84cc PR_WaitCondVar + 268 3 libnspr4.dylib 0x0000000101ae8537 PR_Wait + 71 4 XUL 0x0000000100e29ca8 XRE_AddStaticComponent + 22312 5 XUL 0x0000000100e2b1b1 XRE_AddStaticComponent + 27697 6 XUL 0x0000000100de7549 nsPrintSession::Release() + 1133657 7 XUL 0x0000000100e2af2d XRE_AddStaticComponent + 27053 8 libnspr4.dylib 0x0000000101aedb9e PR_JoinThread + 318 9 libSystem.B.dylib 0x00007fff87900fd6 _pthread_start + 331 10 libSystem.B.dylib 0x00007fff87900e89 thread_start + 13 Thread 14: 0 libSystem.B.dylib 0x00007fff87902a6a __semwait_signal + 10 1 libSystem.B.dylib 0x00007fff87906881 _pthread_cond_wait + 1286 2 libnspr4.dylib 0x0000000101ae84cc PR_WaitCondVar + 268 3 libnspr4.dylib 0x0000000101ae8537 PR_Wait + 71 4 XUL 0x0000000100e29ca8 XRE_AddStaticComponent + 22312 5 XUL 0x0000000100e2b1b1 XRE_AddStaticComponent + 27697 6 XUL 0x0000000100de7549 nsPrintSession::Release() + 1133657 7 XUL 0x0000000100e2af2d XRE_AddStaticComponent + 27053 8 libnspr4.dylib 0x0000000101aedb9e PR_JoinThread + 318 9 libSystem.B.dylib 0x00007fff87900fd6 _pthread_start + 331 10 libSystem.B.dylib 0x00007fff87900e89 thread_start + 13 Thread 15: 0 libSystem.B.dylib 0x00007fff87902a6a __semwait_signal + 10 1 libSystem.B.dylib 0x00007fff87906881 _pthread_cond_wait + 1286 2 libnspr4.dylib 0x0000000101ae84cc PR_WaitCondVar + 268 3 libnspr4.dylib 0x0000000101ae8537 PR_Wait + 71 4 XUL 0x0000000100e29ca8 XRE_AddStaticComponent + 22312 5 XUL 0x0000000100e2b1b1 XRE_AddStaticComponent + 27697 6 XUL 0x0000000100de7549 nsPrintSession::Release() + 1133657 7 XUL 0x0000000100e2af2d XRE_AddStaticComponent + 27053 8 libnspr4.dylib 0x0000000101aedb9e PR_JoinThread + 318 9 libSystem.B.dylib 0x00007fff87900fd6 _pthread_start + 331 10 libSystem.B.dylib 0x00007fff87900e89 thread_start + 13 Thread 16: 0 libSystem.B.dylib 0x00007fff87902a6a __semwait_signal + 10 1 libSystem.B.dylib 0x00007fff87906881 _pthread_cond_wait + 1286 2 libnspr4.dylib 0x0000000101ae84cc PR_WaitCondVar + 268 3 XUL 0x0000000100b3145c js::JSProxyHandler::isOuterWindow() + 806828 4 libnspr4.dylib 0x0000000101aedb9e PR_JoinThread + 318 5 libSystem.B.dylib 0x00007fff87900fd6 _pthread_start + 331 6 libSystem.B.dylib 0x00007fff87900e89 thread_start + 13 Thread 17: 0 libSystem.B.dylib 0x00007fff87902a6a __semwait_signal + 10 1 libSystem.B.dylib 0x00007fff87906881 _pthread_cond_wait + 1286 2 libnspr4.dylib 0x0000000101ae84cc PR_WaitCondVar + 268 3 XUL 0x0000000100b325be js::JSProxyHandler::isOuterWindow() + 811278 4 libnspr4.dylib 0x0000000101aedb9e PR_JoinThread + 318 5 libSystem.B.dylib 0x00007fff87900fd6 _pthread_start + 331 6 libSystem.B.dylib 0x00007fff87900e89 thread_start + 13 Thread 18: 0 libSystem.B.dylib 0x00007fff87902a6a __semwait_signal + 10 1 libSystem.B.dylib 0x00007fff87906881 _pthread_cond_wait + 1286 2 libnspr4.dylib 0x0000000101ae84cc PR_WaitCondVar + 268 3 libnspr4.dylib 0x0000000101ae8537 PR_Wait + 71 4 XUL 0x0000000100e29ca8 XRE_AddStaticComponent + 22312 5 XUL 0x0000000100e2b1b1 XRE_AddStaticComponent + 27697 6 XUL 0x0000000100de7549 nsPrintSession::Release() + 1133657 7 XUL 0x0000000100e2af2d XRE_AddStaticComponent + 27053 8 libnspr4.dylib 0x0000000101aedb9e PR_JoinThread + 318 9 libSystem.B.dylib 0x00007fff87900fd6 _pthread_start + 331 10 libSystem.B.dylib 0x00007fff87900e89 thread_start + 13 Thread 0 crashed with X86 Thread State (64-bit): rax: 0x0000000000000000 rbx: 0x0000000135e2d008 rcx: 0x00007fff5fbfc1e4 rdx: 0x00007fff5d8fc1c0 rdi: 0x0000000135e2d008 rsi: 0x00007fff8025ca27 rbp: 0x00007fff5fbfc220 rsp: 0x00007fff5d8fc1c0 r8: 0x00000001319a5000 r9: 0x0000000000000001 r10: 0x0000000117daf000 r11: 0x0000000133ca5001 r12: 0x000000011d8e0ef0 r13: 0x00007fff70d945e0 r14: 0x000000011e1efba0 r15: 0x00007fff5fbfc3f0 rip: 0x00007fff801acc33 rfl: 0x0000000000010246 cr2: 0x00007fff5d8fc1b8 Binary Images: 0x100000000 - 0x100000fff +org.mozilla.firefox 5.0.1 (5.0.1) <1602E089-C051-7D29-6484-2FC28992C744> /Applications/Firefox.app/Contents/MacOS/firefox-bin 0x100003000 - 0x101800fef +XUL ??? (???) <EF574820-7B87-6736-B096-4123C56BB6B1> /Applications/Firefox.app/Contents/MacOS/XUL 0x101aad000 - 0x101aaeff7 +libxpcom.dylib ??? (???) <46441A36-AD7F-1A97-EC37-70222D31FD72> /Applications/Firefox.app/Contents/MacOS/libxpcom.dylib 0x101ab3000 - 0x101ab3fff +libmozalloc.dylib ??? (???) <E9B48BCB-C7B5-A0FF-A315-11A25263FA10> /Applications/Firefox.app/Contents/MacOS/libmozalloc.dylib 0x101ab6000 - 0x101abffff +libplds4.dylib ??? (???) <AF9A1DCD-632D-4F8D-0D5B-1A3C738A6052> /Applications/Firefox.app/Contents/MacOS/libplds4.dylib 0x101ac2000 - 0x101accfff +libplc4.dylib ??? (???) <0F90C317-5F55-0249-39CA-E60E97E01703> /Applications/Firefox.app/Contents/MacOS/libplc4.dylib 0x101acf000 - 0x101b04ff7 +libnspr4.dylib ??? (???) <0E0C8E4B-4F62-0821-8740-ADF974E00945> /Applications/Firefox.app/Contents/MacOS/libnspr4.dylib 0x101b12000 - 0x101b9cfff +libmozsqlite3.dylib ??? (???) <8E394AE3-3221-BC74-FD15-4CB42F2150FC> /Applications/Firefox.app/Contents/MacOS/libmozsqlite3.dylib 0x101ba5000 - 0x101bc2ff7 +libsmime3.dylib ??? (???) <197A1019-F58A-5E11-E585-400A0AFF5E45> /Applications/Firefox.app/Contents/MacOS/libsmime3.dylib 0x101bd0000 - 0x101c03fff +libssl3.dylib ??? (???) <C01C02D3-5C20-A4CC-CC3F-3BB1810BD664> /Applications/Firefox.app/Contents/MacOS/libssl3.dylib 0x101c0e000 - 0x101d02ff7 +libnss3.dylib ??? (???) <ECD1524B-479F-A3BF-F87B-A81202430D42> /Applications/Firefox.app/Contents/MacOS/libnss3.dylib 0x101d26000 - 0x101d36fff +libnssutil3.dylib ??? (???) <C3C32BB5-321C-9C4F-E608-B095B187F051> /Applications/Firefox.app/Contents/MacOS/libnssutil3.dylib 0x113b01000 - 0x113b3cfff +libsoftokn3.dylib ??? (???) <BA9972C4-830B-9AF1-05CD-FE0C96EB4C11> /Applications/Firefox.app/Contents/MacOS/libsoftokn3.dylib 0x113bd1000 - 0x113e7bff7 +libalerts_s.dylib ??? (???) <2837F2E7-827E-5977-B646-6B5EFDFA916C> /Applications/Firefox.app/Contents/MacOS/components/libalerts_s.dylib 0x113eb1000 - 0x113ed8fef +libbrowsercomps.dylib ??? (???) <C2B83D0B-18AF-82C7-6AFE-C6AE2793A7AC> /Applications/Firefox.app/Contents/MacOS/components/libbrowsercomps.dylib 0x114de8000 - 0x114e0efff GLRendererFloat ??? (???) <490221DD-53D9-178E-3F31-3A4974D34DCD> /System/Library/Frameworks/OpenGL.framework/Resources/GLRendererFloat.bundle/GLRendererFloat 0x115a9e000 - 0x115c31fe7 GLEngine ??? (???) <53A8A7E8-4846-D236-F3D9-DA3F2AF686D8> /System/Library/Frameworks/OpenGL.framework/Resources/GLEngine.bundle/GLEngine 0x115c62000 - 0x11607efff com.apple.ATIRadeonX2000GLDriver 1.6.36 (6.3.6) <EBE273B9-6BF7-32B1-C5A2-2B3C85D776AA> /System/Library/Extensions/ATIRadeonX2000GLDriver.bundle/Contents/MacOS/ATIRadeonX2000GLDriver 0x11cc97000 - 0x11ccbcfff +libnssdbm3.dylib ??? (???) <E6E8BE29-8DA0-57CC-AD93-F50B2CD05671> /Applications/Firefox.app/Contents/MacOS/libnssdbm3.dylib 0x11e08d000 - 0x11e0e3fef +libfreebl3.dylib ??? (???) <3DEF2152-D971-6031-10B2-7238D3B25738> /Applications/Firefox.app/Contents/MacOS/libfreebl3.dylib 0x11fa00000 - 0x11fa4efff +libnssckbi.dylib ??? (???) <A5D1B91A-4808-BE1C-ABB4-67A3C3CA32A0> /Applications/Firefox.app/Contents/MacOS/libnssckbi.dylib 0x7fff5fc00000 - 0x7fff5fc3be0f dyld 132.1 (???) <29DECB19-0193-2575-D838-CF743F0400B2> /usr/lib/dyld 0x7fff80003000 - 0x7fff80052fef libTIFF.dylib ??? (???) <5DE9F066-9B64-CBE4-976A-CC7B8DD3C31A> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libTIFF.dylib 0x7fff80053000 - 0x7fff80059ff7 com.apple.CommerceCore 1.0 (9.1) <3691E9BA-BCF4-98C7-EFEC-78DA6825004E> /System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Frameworks/CommerceCore.framework/Versions/A/CommerceCore 0x7fff80126000 - 0x7fff8014bff7 com.apple.CoreVideo 1.6.2 (45.6) <E138C8E7-3CB6-55A9-0A2C-B73FE63EA288> /System/Library/Frameworks/CoreVideo.framework/Versions/A/CoreVideo 0x7fff80154000 - 0x7fff80154ff7 com.apple.Accelerate.vecLib 3.6 (vecLib 3.6) <4CCE5D69-F1B3-8FD3-1483-E0271DB2CCF3> /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/vecLib 0x7fff80160000 - 0x7fff8027afef libGLProgrammability.dylib ??? (???) <8A4B86E3-0FA7-8684-2EF2-C5F8079428DB> /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLProgrammability.dylib 0x7fff80f57000 - 0x7fff80fd4fef libstdc++.6.dylib ??? (???) <35ECA411-2C08-FD7D-11B1-1B7A04921A5C> /usr/lib/libstdc++.6.dylib 0x7fff80fd5000 - 0x7fff81016fff com.apple.SystemConfiguration 1.10.8 (1.10.2) <78D48D27-A9C4-62CA-2803-D0BBED82855A> /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration 0x7fff81017000 - 0x7fff81038fff libresolv.9.dylib ??? (???) <9F322F47-0584-CB7D-5B73-9EBD670851CD> /usr/lib/libresolv.9.dylib 0x7fff81039000 - 0x7fff8136dfef com.apple.CoreServices.CarbonCore 861.39 (861.39) <1386A24D-DD15-5903-057E-4A224FAF580B> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/CarbonCore 0x7fff8136e000 - 0x7fff813a9fff com.apple.AE 496.5 (496.5) <208DF391-4DE6-81ED-C697-14A2930D1BC6> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/AE.framework/Versions/A/AE 0x7fff813e2000 - 0x7fff813e4fff libRadiance.dylib ??? (???) <76C1B129-6F25-E43C-1498-B1B88B37163B> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libRadiance.dylib 0x7fff813e5000 - 0x7fff813e9ff7 libCGXType.A.dylib ??? (???) <DB710299-B4D9-3714-66F7-5D2964DE585B> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCGXType.A.dylib 0x7fff813ea000 - 0x7fff813f9fef com.apple.opengl 1.6.13 (1.6.13) <516098B3-4517-8A55-64BB-195CDAA5334D> /System/Library/Frameworks/OpenGL.framework/Versions/A/OpenGL 0x7fff813fa000 - 0x7fff813faff7 com.apple.Cocoa 6.6 (???) <68B0BE46-6E24-C96F-B341-054CF9E8F3B6> /System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa 0x7fff813fb000 - 0x7fff815b9fff libicucore.A.dylib ??? (???) <4274FC73-A257-3A56-4293-5968F3428854> /usr/lib/libicucore.A.dylib 0x7fff81652000 - 0x7fff81769fef libxml2.2.dylib ??? (???) <1B27AFDD-DF87-2009-170E-C129E1572E8B> /usr/lib/libxml2.2.dylib 0x7fff8176a000 - 0x7fff8177eff7 com.apple.speech.synthesis.framework 3.10.35 (3.10.35) <63C87CF7-56B3-4038-8136-8C26E96AD42F> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/SpeechSynthesis.framework/Versions/A/SpeechSynthesis 0x7fff81ac3000 - 0x7fff81b12ff7 com.apple.DirectoryService.PasswordServerFramework 6.1 (6.1) <0731C40D-71EF-B417-C83B-54C3527A36EA> /System/Library/PrivateFrameworks/PasswordServer.framework/Versions/A/PasswordServer 0x7fff81d1a000 - 0x7fff81d1ffff libGIF.dylib ??? (???) <95443F88-7D4C-1DEE-A323-A70F7A1B4B0F> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libGIF.dylib 0x7fff81d4c000 - 0x7fff81d57fff com.apple.CrashReporterSupport 10.6.7 (258) <A2CBB18C-BD1C-8650-9091-7687E780E689> /System/Library/PrivateFrameworks/CrashReporterSupport.framework/Versions/A/CrashReporterSupport 0x7fff827a7000 - 0x7fff82fb1fe7 libBLAS.dylib ??? (???) <EEE5CE62-9155-6559-2AEA-05CED0F5B0F1> /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libBLAS.dylib 0x7fff82ff6000 - 0x7fff83005fff com.apple.NetFS 3.2.2 (3.2.2) <7CCBD70E-BF31-A7A7-DB98-230687773145> /System/Library/Frameworks/NetFS.framework/Versions/A/NetFS 0x7fff83012000 - 0x7fff8309efef SecurityFoundation ??? (???) <3F1F2727-C508-3630-E2C1-38361841FCE4> /System/Library/Frameworks/SecurityFoundation.framework/Versions/A/SecurityFoundation 0x7fff83276000 - 0x7fff832d6fe7 com.apple.framework.IOKit 2.0 (???) <4F071EF0-8260-01E9-C641-830E582FA416> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit 0x7fff832d7000 - 0x7fff832d9fef com.apple.ExceptionHandling 1.5 (10) <F2867B93-A56A-974F-9556-266BCE394057> /System/Library/Frameworks/ExceptionHandling.framework/Versions/A/ExceptionHandling 0x7fff833e4000 - 0x7fff833f1fe7 libCSync.A.dylib ??? (???) <1C35FA50-9C70-48DC-9E8D-2054F7A266B1> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCSync.A.dylib 0x7fff833fb000 - 0x7fff83438fff com.apple.LDAPFramework 2.0 (120.1) <54A6769E-D7E2-DBE2-EA61-87B9EA355DA4> /System/Library/Frameworks/LDAP.framework/Versions/A/LDAP 0x7fff83439000 - 0x7fff834f6fff com.apple.CoreServices.OSServices 359 (359) <DAAB42A1-89A6-9644-CB21-50BA66417F12> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/OSServices.framework/Versions/A/OSServices 0x7fff83501000 - 0x7fff835c2fef com.apple.ColorSync 4.6.6 (4.6.6) <BB2C5813-C61D-3CBA-A8F7-0E59E46EBEE8> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ColorSync.framework/Versions/A/ColorSync 0x7fff835c3000 - 0x7fff83641ff7 com.apple.CoreText 151.10 (???) <54961997-55D8-DC0F-2634-674E452D5A8E> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreText.framework/Versions/A/CoreText 0x7fff83642000 - 0x7fff83675ff7 libTrueTypeScaler.dylib ??? (???) <69D4A213-45D2-196D-7FF8-B52A31DFD329> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/Resources/libTrueTypeScaler.dylib 0x7fff83676000 - 0x7fff8368afff libGL.dylib ??? (???) <2ECE3B0F-39E1-3938-BF27-7205C6D0358B> /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGL.dylib 0x7fff839b3000 - 0x7fff83a1dfe7 libvMisc.dylib ??? (???) <AF0EA96D-000F-8C12-B952-CB7E00566E08> /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libvMisc.dylib 0x7fff83ac6000 - 0x7fff83ac7ff7 com.apple.audio.units.AudioUnit 1.6.7 (1.6.7) <53299948-2554-0F8F-7501-04B34E49F6CF> /System/Library/Frameworks/AudioUnit.framework/Versions/A/AudioUnit 0x7fff83ac8000 - 0x7fff83b0bfef libtidy.A.dylib ??? (???) <2F4273D3-418B-668C-F488-7E659D3A8C23> /usr/lib/libtidy.A.dylib 0x7fff83b19000 - 0x7fff83f5dfef libLAPACK.dylib ??? (???) <E14EC4C6-B055-A4AC-B971-42AB644E4A7C> /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libLAPACK.dylib 0x7fff83f5e000 - 0x7fff83f81fff com.apple.opencl 12.3.6 (12.3.6) <42FA5783-EB80-1168-4015-B8C68F55842F> /System/Library/Frameworks/OpenCL.framework/Versions/A/OpenCL 0x7fff83f82000 - 0x7fff8401cfe7 com.apple.ApplicationServices.ATS 275.16 (???) <4B70A2FC-1902-5F27-5C3B-5C78C283C6EA> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/ATS 0x7fff8401d000 - 0x7fff8429ffe7 com.apple.Foundation 6.6.7 (751.62) <6F2A5BBF-6990-D561-2928-AD61E94036D9> /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation 0x7fff84358000 - 0x7fff843a1ff7 com.apple.securityinterface 4.0.1 (40418) <77FDB498-B502-050C-6AF4-1DAB17F64B6F> /System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface 0x7fff84417000 - 0x7fff84555fff com.apple.CoreData 102.1 (251) <9DFE798D-AA52-6A9A-924A-DA73CB94D81A> /System/Library/Frameworks/CoreData.framework/Versions/A/CoreData 0x7fff84556000 - 0x7fff84854fff com.apple.HIToolbox 1.6.5 (???) <AD1C18F6-51CB-7E39-35DD-F16B1EB978A8> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox 0x7fff848b0000 - 0x7fff848beff7 libkxld.dylib ??? (???) <8145A534-95CC-9F3C-B78B-AC9898F38C6F> /usr/lib/system/libkxld.dylib 0x7fff848bf000 - 0x7fff848d1fe7 libsasl2.2.dylib ??? (???) <76B83C8D-8EFE-4467-0F75-275648AFED97> /usr/lib/libsasl2.2.dylib 0x7fff8493f000 - 0x7fff849befe7 com.apple.audio.CoreAudio 3.2.6 (3.2.6) <79E256EB-43F1-C7AA-6436-124A4FFB02D0> /System/Library/Frameworks/CoreAudio.framework/Versions/A/CoreAudio 0x7fff849d1000 - 0x7fff84a1afef libGLU.dylib ??? (???) <1C050088-4AB2-2BC2-62E6-C969F925A945> /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLU.dylib 0x7fff84a1d000 - 0x7fff84a57fff libcups.2.dylib ??? (???) <7982734A-B66B-44AA-DEEC-364D2C10009B> /usr/lib/libcups.2.dylib 0x7fff84b23000 - 0x7fff84b34ff7 libz.1.dylib ??? (???) <97019C74-161A-3488-41EC-A6CA8738418C> /usr/lib/libz.1.dylib 0x7fff84b35000 - 0x7fff84b35ff7 com.apple.ApplicationServices 38 (38) <10A0B9E9-4988-03D4-FC56-DDE231A02C63> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices 0x7fff84b36000 - 0x7fff84b89ff7 com.apple.HIServices 1.8.3 (???) <F6E0C7A7-C11D-0096-4DDA-2C77793AA6CD> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/HIServices.framework/Versions/A/HIServices 0x7fff84cfb000 - 0x7fff84d01ff7 com.apple.DiskArbitration 2.3 (2.3) <857F6E43-1EF4-7D53-351B-10DE0A8F992A> /System/Library/Frameworks/DiskArbitration.framework/Versions/A/DiskArbitration 0x7fff84d02000 - 0x7fff84d08ff7 IOSurface ??? (???) <8E302BB2-0704-C6AB-BD2F-C2A6C6A2E2C3> /System/Library/Frameworks/IOSurface.framework/Versions/A/IOSurface 0x7fff84d0b000 - 0x7fff84df0fef com.apple.DesktopServices 1.5.11 (1.5.11) <39FAA3D2-6863-B5AB-AED9-92D878EA2438> /System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/DesktopServicesPriv 0x7fff84e0d000 - 0x7fff84e18ff7 com.apple.speech.recognition.framework 3.11.1 (3.11.1) <3D65E89B-FFC6-4AAF-D5CC-104F967C8131> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/SpeechRecognition.framework/Versions/A/SpeechRecognition 0x7fff84e25000 - 0x7fff84e62ff7 libFontRegistry.dylib ??? (???) <4C3293E2-851B-55CE-3BE3-29C425DD5DFF> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/Resources/libFontRegistry.dylib 0x7fff84e63000 - 0x7fff84f18fe7 com.apple.ink.framework 1.3.3 (107) <8C36373C-5473-3A6A-4972-BC29D504250F> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Ink.framework/Versions/A/Ink 0x7fff84f3c000 - 0x7fff84f86ff7 com.apple.Metadata 10.6.3 (507.15) <2EF19055-D7AE-4D77-E589-7B71B0BC1E59> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Metadata 0x7fff84f87000 - 0x7fff84fc4ff7 libssl.0.9.8.dylib ??? (???) <F743389F-F25A-A77D-4FCA-D6B01AF2EE6D> /usr/lib/libssl.0.9.8.dylib 0x7fff850ba000 - 0x7fff850baff7 com.apple.vecLib 3.6 (vecLib 3.6) <96FB6BAD-5568-C4E0-6FA7-02791A58B584> /System/Library/Frameworks/vecLib.framework/Versions/A/vecLib 0x7fff850bb000 - 0x7fff851dafe7 libcrypto.0.9.8.dylib ??? (???) <14115D29-432B-CF02-6B24-A60CC533A09E> /usr/lib/libcrypto.0.9.8.dylib 0x7fff851db000 - 0x7fff851dfff7 libmathCommon.A.dylib ??? (???) <95718673-FEEE-B6ED-B127-BCDBDB60D4E5> /usr/lib/system/libmathCommon.A.dylib 0x7fff851e0000 - 0x7fff8520bff7 libxslt.1.dylib ??? (???) <8AB4CA9E-435A-33DA-7041-904BA7FA11D5> /usr/lib/libxslt.1.dylib 0x7fff85313000 - 0x7fff85318ff7 com.apple.CommonPanels 1.2.4 (91) <4D84803B-BD06-D80E-15AE-EFBE43F93605> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/CommonPanels.framework/Versions/A/CommonPanels 0x7fff85395000 - 0x7fff8550cfe7 com.apple.CoreFoundation 6.6.5 (550.43) <31A1C118-AD96-0A11-8BDF-BD55B9940EDC> /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation 0x7fff855bd000 - 0x7fff85676fff libsqlite3.dylib ??? (???) <2C5ED312-E646-9ADE-73A9-6199A2A43150> /usr/lib/libsqlite3.dylib 0x7fff85677000 - 0x7fff856c3fff libauto.dylib ??? (???) <F7221B46-DC4F-3153-CE61-7F52C8C293CF> /usr/lib/libauto.dylib 0x7fff8583a000 - 0x7fff8583bff7 com.apple.TrustEvaluationAgent 1.1 (1) <5952A9FA-BC2B-16EF-91A7-43902A5C07B6> /System/Library/PrivateFrameworks/TrustEvaluationAgent.framework/Versions/A/TrustEvaluationAgent 0x7fff8589d000 - 0x7fff858cdfef com.apple.shortcut 1.1 (1.1) <A99C9D8E-290B-B1E4-FEA5-CC5F2FB9C18D> /System/Library/PrivateFrameworks/Shortcut.framework/Versions/A/Shortcut 0x7fff85931000 - 0x7fff85b73fe7 com.apple.AddressBook.framework 5.0.4 (883) <3C634319-4B5B-592B-2D3A-A16336F93AA0> /System/Library/Frameworks/AddressBook.framework/Versions/A/AddressBook 0x7fff85b74000 - 0x7fff85c04fff com.apple.SearchKit 1.3.0 (1.3.0) <3403E658-A54E-A79A-12EB-E090E8743984> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/SearchKit.framework/Versions/A/SearchKit 0x7fff85c05000 - 0x7fff85c08ff7 libCoreVMClient.dylib ??? (???) <E03D7C81-A3DA-D44A-A88A-DDBB98AF910B> /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libCoreVMClient.dylib 0x7fff85c09000 - 0x7fff85c1eff7 com.apple.LangAnalysis 1.6.6 (1.6.6) <1AE1FE8F-2204-4410-C94E-0E93B003BEDA> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/LangAnalysis.framework/Versions/A/LangAnalysis 0x7fff85c1f000 - 0x7fff85c47fff com.apple.DictionaryServices 1.1.2 (1.1.2) <E9269069-93FA-2B71-F9BA-FDDD23C4A65E> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/DictionaryServices.framework/Versions/A/DictionaryServices 0x7fff85e55000 - 0x7fff85e9dff7 libvDSP.dylib ??? (???) <98FC4457-F405-0262-00F7-56119CA107B6> /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libvDSP.dylib 0x7fff85e9e000 - 0x7fff85eb9ff7 com.apple.openscripting 1.3.1 (???) <9D50701D-54AC-405B-CC65-026FCB28258B> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/OpenScripting.framework/Versions/A/OpenScripting 0x7fff85eba000 - 0x7fff85eebfff libGLImage.dylib ??? (???) <7F102A07-E4FB-9F52-B2F6-4E2D2383CA13> /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLImage.dylib 0x7fff85fea000 - 0x7fff86011ff7 libJPEG.dylib ??? (???) <B9AA5816-8CCB-AFCB-61FD-3820C6E8219D> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJPEG.dylib 0x7fff86036000 - 0x7fff86036ff7 com.apple.Accelerate 1.6 (Accelerate 1.6) <15DF8B4A-96B2-CB4E-368D-DEC7DF6B62BB> /System/Library/Frameworks/Accelerate.framework/Versions/A/Accelerate 0x7fff8612d000 - 0x7fff861cdfff com.apple.LaunchServices 362.3 (362.3) <B90B7C31-FEF8-3C26-BFB3-D8A48BD2C0DA> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/LaunchServices 0x7fff861ce000 - 0x7fff86303fff com.apple.audio.toolbox.AudioToolbox 1.6.7 (1.6.7) <E5D7DBDB-6DDF-E6F9-C71C-86F4520EE5A3> /System/Library/Frameworks/AudioToolbox.framework/Versions/A/AudioToolbox 0x7fff86304000 - 0x7fff86389ff7 com.apple.print.framework.PrintCore 6.3 (312.7) <CDFE82DD-D811-A091-179F-6E76069B432D> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/PrintCore.framework/Versions/A/PrintCore 0x7fff8638a000 - 0x7fff8644bfff libFontParser.dylib ??? (???) <A00BB0A7-E46C-1D07-1391-194745566C7E> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/Resources/libFontParser.dylib 0x7fff8644c000 - 0x7fff86462fef libbsm.0.dylib ??? (???) <83676D2E-23CD-45CD-BE5C-35FCFFBBBDBB> /usr/lib/libbsm.0.dylib 0x7fff864cc000 - 0x7fff8657cfff edu.mit.Kerberos 6.5.11 (6.5.11) <085D80F5-C9DC-E252-C21B-03295E660C91> /System/Library/Frameworks/Kerberos.framework/Versions/A/Kerberos 0x7fff86584000 - 0x7fff86601fef com.apple.backup.framework 1.2.2 (1.2.2) <CD3554D8-DA47-DDBC-910C-B2F1DE3B8CA6> /System/Library/PrivateFrameworks/Backup.framework/Versions/A/Backup 0x7fff866ce000 - 0x7fff866d3fff libGFXShared.dylib ??? (???) <1D0D3531-9561-632C-D620-1A8652BEF5BC> /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGFXShared.dylib 0x7fff866d4000 - 0x7fff86717ff7 libRIP.A.dylib ??? (???) <5FF3D7FD-84D8-C5FA-D640-90BB82EC651D> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libRIP.A.dylib 0x7fff867f1000 - 0x7fff86846ff7 com.apple.framework.familycontrols 2.0.2 (2020) <8807EB96-D12D-8601-2E74-25784A0DE4FF> /System/Library/PrivateFrameworks/FamilyControls.framework/Versions/A/FamilyControls 0x7fff8688d000 - 0x7fff86894fff com.apple.OpenDirectory 10.6 (10.6) <4FF6AD25-0916-B21C-9E88-2CC42D90EAC7> /System/Library/Frameworks/OpenDirectory.framework/Versions/A/OpenDirectory 0x7fff86895000 - 0x7fff86896fff liblangid.dylib ??? (???) <EA4D1607-2BD5-2EE2-2A3B-632EEE5A444D> /usr/lib/liblangid.dylib 0x7fff86897000 - 0x7fff86f93ff7 com.apple.CoreGraphics 1.545.0 (???) <58D597B1-EB3B-710E-0B8C-EC114D54E11B> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics 0x7fff86f94000 - 0x7fff86fdbff7 com.apple.coreui 2 (114) <923E33CC-83FC-7D35-5603-FB8F348EE34B> /System/Library/PrivateFrameworks/CoreUI.framework/Versions/A/CoreUI 0x7fff871cd000 - 0x7fff871cffff com.apple.print.framework.Print 6.1 (237.1) <CA8564FB-B366-7413-B12E-9892DA3C6157> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Print.framework/Versions/A/Print 0x7fff871d0000 - 0x7fff8738eff7 com.apple.ImageIO.framework 3.0.4 (3.0.4) <6212CA66-7B18-2AED-6AA8-45185F5D9A03> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/ImageIO 0x7fff873bf000 - 0x7fff873bfff7 com.apple.CoreServices 44 (44) <DC7400FB-851E-7B8A-5BF6-6F50094302FB> /System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices 0x7fff878c7000 - 0x7fff87a88fef libSystem.B.dylib ??? (???) <9AB4F1D1-89DC-0E8A-DC8E-A4FE4D69DB69> /usr/lib/libSystem.B.dylib 0x7fff87b56000 - 0x7fff87b67fff com.apple.DSObjCWrappers.Framework 10.6 (134) <3C08225D-517E-2822-6152-F6EB13A4ADF9> /System/Library/PrivateFrameworks/DSObjCWrappers.framework/Versions/A/DSObjCWrappers 0x7fff87b68000 - 0x7fff87df1ff7 com.apple.security 6.1.2 (55002) <4419AFFC-DAE7-873E-6A7D-5C9A5A4497A6> /System/Library/Frameworks/Security.framework/Versions/A/Security 0x7fff8805c000 - 0x7fff8805ffff com.apple.help 1.3.2 (41.1) <BD1B0A22-1CB8-263E-FF85-5BBFDE3660B9> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Help.framework/Versions/A/Help 0x7fff88060000 - 0x7fff8806bff7 com.apple.HelpData 2.0.5 (34.1.1) <24DC6CD3-02B7-9332-FF6D-F0C545857B55> /System/Library/PrivateFrameworks/HelpData.framework/Versions/A/HelpData 0x7fff884b4000 - 0x7fff88eaeff7 com.apple.AppKit 6.6.8 (1038.36) <4CFBE04C-8FB3-B0EA-8DDB-7E7D10E9D251> /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit 0x7fff88eaf000 - 0x7fff88ecfff7 com.apple.DirectoryService.Framework 3.6 (621.12) <A4685F06-5881-35F5-764D-C380304C1CE8> /System/Library/Frameworks/DirectoryService.framework/Versions/A/DirectoryService 0x7fff88ed0000 - 0x7fff88ee7fff com.apple.ImageCapture 6.1 (6.1) <79AB2131-2A6C-F351-38A9-ED58B25534FD> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/ImageCapture.framework/Versions/A/ImageCapture 0x7fff88efc000 - 0x7fff88effff7 com.apple.securityhi 4.0 (36638) <AEF55AF1-54D3-DB8D-27A7-E16192E0045A> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/SecurityHI.framework/Versions/A/SecurityHI 0x7fff88f00000 - 0x7fff88f41fef com.apple.QD 3.36 (???) <5DC41E81-32C9-65B2-5528-B33E934D5BB4> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/QD.framework/Versions/A/QD 0x7fff88f42000 - 0x7fff88f42ff7 com.apple.Carbon 150 (152) <FA427C37-CF97-6773-775D-4F752ED68581> /System/Library/Frameworks/Carbon.framework/Versions/A/Carbon 0x7fff88f43000 - 0x7fff89017fe7 com.apple.CFNetwork 454.12.4 (454.12.4) <C83E2BA1-1818-B3E8-5334-860AD21D1C80> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CFNetwork.framework/Versions/A/CFNetwork 0x7fff89018000 - 0x7fff890f5fff com.apple.vImage 4.1 (4.1) <C3F44AA9-6F71-0684-2686-D3BBC903F020> /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vImage.framework/Versions/A/vImage 0x7fff890f6000 - 0x7fff8910ffff com.apple.CFOpenDirectory 10.6 (10.6) <401557B1-C6D1-7E1A-0D7E-941715C37BFA> /System/Library/Frameworks/OpenDirectory.framework/Versions/A/Frameworks/CFOpenDirectory.framework/Versions/A/CFOpenDirectory 0x7fff893a3000 - 0x7fff893b9fe7 com.apple.MultitouchSupport.framework 207.11 (207.11) <8233CE71-6F8D-8B3C-A0E1-E123F6406163> /System/Library/PrivateFrameworks/MultitouchSupport.framework/Versions/A/MultitouchSupport 0x7fff893ea000 - 0x7fff89787fe7 com.apple.QuartzCore 1.6.3 (227.37) <16DFF6CD-EA58-CE62-A1D7-5F6CE3D066DD> /System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore 0x7fff897a3000 - 0x7fff89859ff7 libobjc.A.dylib ??? (???) <03140531-3B2D-1EBA-DA7F-E12CC8F63969> /usr/lib/libobjc.A.dylib 0x7fff8985a000 - 0x7fff89877ff7 libPng.dylib ??? (???) <4815A8F2-24A0-E783-8A5A-7B4959F562D7> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libPng.dylib 0x7fffffe00000 - 0x7fffffe01fff libSystem.B.dylib ??? (???) <9AB4F1D1-89DC-0E8A-DC8E-A4FE4D69DB69> /usr/lib/libSystem.B.dylib
Okay I sent two crash reports with some comments... I hope it will be helpfull :-)
> Exception Type: EXC_BAD_ACCESS (SIGSEGV) > Exception Codes: KERN_PROTECTION_FAILURE at 0x00007fff5d8fc1b8 Argh, seems like something that we have to take seriously security-wise. We need to figure are what minimum length it starts crashing, and reject such long identifiers on Mac. I'll try to figure the min length myself, but you're very welcome to try yourself.
Okay I'm going to try to figure the min length as well...
I know it is between : 5'242880 and 6'291'456 :-) OMG 1'048'576 Testcases ;-)
Great. Since there's no valid use case for such long identifiers, let's just limit their length to something smaller than that. For example 4096 should cover all real world use case and then some.
Summary: crash if string is too long in getUniformLocation() --> webgl → WebGL: crash in getUniformLocation with too long uniform identifiers
Yes there is really no use case for such long identifiers and 4096 is more then enough!
This patch limits the length of GLSL uniform and attrib identifiers to 4095 chars. It should fix the problem. I tested that on the testcase it rejects the identifier with appropriate JS warning.
Attachment #549206 - Flags: review?(jmuizelaar)
Comment on attachment 549206 [details] [diff] [review] limit GLSL identifiers length Add a test case please.
Attachment #549206 - Flags: review?(jmuizelaar) → review+
Well, I would like to take this to the WebGL list first.
Landed on central: http://hg.mozilla.org/mozilla-central/rev/6fd3e4c0082d Requesting aurora and beta approval; I don't know for sure that it's severe enough to require beta but I'll let other people judge. The patch is innocuous anyway.
Attachment #549206 - Flags: approval-mozilla-beta?
Attachment #549206 - Flags: approval-mozilla-aurora?
I just remembered that the spec says that WebGL GLSL tokens can't exceed 256 chars. But the limit we have to impose here must be larger to allow addressing structure members (x.y) and arrays (x[y]). So maybe 4K is really a good value.
Note that at the moment we haven't mapped structure field long names in ANGLE yet.
Comment on attachment 549206 [details] [diff] [review] limit GLSL identifiers length Approved for mozilla-aurora and mozilla-beta. Please land ASAP.
Attachment #549206 - Flags: approval-mozilla-beta?
Attachment #549206 - Flags: approval-mozilla-beta+
Attachment #549206 - Flags: approval-mozilla-aurora?
Attachment #549206 - Flags: approval-mozilla-aurora+
Landed on aurora and beta. http://hg.mozilla.org/releases/mozilla-aurora/rev/68d510d9189a http://hg.mozilla.org/releases/mozilla-beta/rev/f677bd469294
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
status-firefox6: --- → fixed
status-firefox7: --- → fixed
Target Milestone: --- → mozilla8
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
Whiteboard: [sg:vector-critical?]
Alias: CVE-2011-2989
Heya, any idea what the root cause was here? ANGLE bug? Bug in Firefox? Bug in the Mac OS X GL libraries?
(In reply to Chris Evans from comment #28) > Heya, any idea what the root cause was here? ANGLE bug? Bug in Firefox? Bug > in the Mac OS X GL libraries? This was a bug in the Mac OSX OpenGL libraries. Their implementation of the glGetUniformLocation function crashes when the identifier string passed to them as a function parameter is longer than roughly 5 million characters. See comment 17.
Thanks Benoit. That's a very strange length. Perhaps a stack exhaustion bug? Hard to tell without the stack pointer and faulting address. I'm also looking in to Mac OSX OpenGL libraries. They seem bad, and quite a lot of cases can't be worked around with length limits. I'm talking to Apple to help them get their house in order. Have you passed on this case?
I have CC'd Chris Marrin on this bug, but that's all I've done to draw Apple's attention on this bug.
Oh, I've also written to the 3dweb )i.e. webgl) mailing list about this bug. The thread title was 'Limiting identifier parameter length in getUniformLocation to avoid Mac crashes' on July 28.
qa- as no QA fix verification needed
Whiteboard: [sg:vector-critical?] → [sg:vector-critical?][qa-]
I don't understand comment 33 -- this is a crash bug with a testcase and a fix. Seems straightforward to verify and mac is not exactly an exotic platform. Removing the [qa-] as a guess at how to appeal that decision.
Whiteboard: [sg:vector-critical?][qa-] → [sg:vector-critical?]
Sorry, I made a mistake. I thought I was commenting on a different bug (triaging 131 bugs in a couple hours has a high likelihood of human error).
Whiteboard: [sg:vector-critical?] → [sg:vector-critical?][qa+]
Marking qa+ for verification. I've tried reproducing this bug on a few machines in the QA lab, but they don't meet the graphics card criteria (card is blocklisted). Forcing WebGL on about:config just gives me a different crash both before and after the fix. Virtualized environments haven't helped either. Aral, could you help us verify this bug fix with your machine?
I don't have a crash anymore with FireFox Version 6.0.2 --> it seems fixed...
Thanks Aral, can you quickly check Firefox 7? ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases/7.0/
No crash with Firefox 7 as well!
Thanks Aral! Marking VERIFIED FIXED based on comment 37 and 39.
Status: RESOLVED → VERIFIED
Keywords: verified-beta
Whiteboard: [sg:vector-critical?][qa+] → [sg:vector-critical?][qa!]
Group: core-security
rforbes-bugspam-for-setting-that-bounty-flag-20130719
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: