NX Crash @ nsXBLService::GetBinding

RESOLVED DUPLICATE of bug 720991

Status

()

Core
XBL
--
critical
RESOLVED DUPLICATE of bug 720991
7 years ago
3 years ago

People

(Reporter: JK, Unassigned)

Tracking

({crash})

14 Branch
All
Windows 7
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

(Reporter)

Description

7 years ago
bp-5ec5c9ae-4507-4d96-b6ef-88c5f2111229

0 		@0xc0335e16 	
1 	xul.dll 	nsXBLService::GetBinding 	
2 	xul.dll 	XPCConvert::NativeInterface2JSObject 	js/xpconnect/src/XPCConvert.cpp:1123
3 	xul.dll 	xul.dll@0x93def 	
4 	xul.dll 	PresShell::AllocateMisc 	layout/base/nsPresShell.cpp:1368
5 	xul.dll 	nsRuleNode::ComputeUserInterfaceData 	layout/style/nsRuleNode.cpp:3573
6 	mozutils.dll 	je_malloc 	memory/jemalloc/jemalloc.c:6223
7 	xul.dll 	nsACString_internal::Replace 	xpcom/string/src/nsTSubstring.cpp:487
8 	xul.dll 	xul.dll@0x93def 	
9 	xul.dll 	nsStandardURL::SetRef 	netwerk/base/src/nsStandardURL.cpp:2358
10 	xul.dll 	nsStandardURL::SetRef 	netwerk/base/src/nsStandardURL.cpp:2394
11 	msvcr80.dll 	msvcr80.dll@0x14ed5 	
12 	xul.dll 	nsStandardURL::EqualsInternal 	netwerk/base/src/nsStandardURL.cpp:1705
13 	xul.dll 	nsStandardURL::EqualsInternal 	netwerk/base/src/nsStandardURL.cpp:1707
14 	xul.dll 	nsTHashtable<nsBaseHashtableET<nsURIHashKey,nsRefPtr<nsXBLDocumentInfo> > >::s_MatchEntry 	obj-firefox/dist/include/nsTHashtable.h:383
15 	xul.dll 	SearchTable 	obj-firefox/xpcom/build/pldhash.cpp:440
16 	xul.dll 	matchKeyEntry 	xpcom/ds/nsHashtable.cpp:79
17 	xul.dll 	xul.dll@0x204e3f 	
18 		@0x3 	
19 		@0x80000005 	
20 	mozutils.dll 	je_malloc 	memory/jemalloc/jemalloc.c:6223
21 	xul.dll 	nsCSSFrameConstructor::AddFrameConstructionItemsInternal 	layout/base/nsCSSFrameConstructor.cpp:5075
22 	xul.dll 	nsCSSFrameConstructor::ProcessChildren 	layout/base/nsCSSFrameConstructor.cpp:9579
(Reporter)

Updated

7 years ago
Keywords: crash
(Reporter)

Comment 1

7 years ago
1dc52b88-ad3e-431b-81dd-378d52120109

According to this report with a similar stack, the user was trying pdf.js. I also remember using pdf.js when this crash happened.

Updated

6 years ago
Summary: Crash [@ nsXBLService::GetBinding(nsIContent*, nsIURI*, bool, nsIPrincipal*, bool*, nsXBLBinding**, nsTArray<nsIURI*, nsTArrayDefaultAllocator>&) ] → Crash @ nsXBLService::GetBinding with pdf.js
(Reporter)

Comment 2

6 years ago
This NX/DEP access violation still seems to be unfixed. Doesn't seem specific to pdf.js according to the comments.

https://crash-stats.mozilla.com/report/index/8dc2c570-8a76-4d5b-951e-57c652120727
https://crash-stats.mozilla.com/report/index/c8064a7d-f7e6-40f4-8922-60ff82120727
https://crash-stats.mozilla.com/report/index/c79ec247-e51c-4f49-83d6-a53852120727
Summary: Crash @ nsXBLService::GetBinding with pdf.js → NX Crash @ nsXBLService::GetBinding
Whiteboard: [sg:critical]
Version: 10 Branch → 14 Branch
(Reporter)

Updated

6 years ago
Keywords: sec-critical

Comment 3

6 years ago
(In reply to JK from comment #2)
> Doesn't seem specific to pdf.js according to the comments.
Those crash reports are bug 720991.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 720991
(Reporter)

Comment 4

6 years ago
(In reply to Scoobidiver from comment #3)
> (In reply to JK from comment #2)
> > Doesn't seem specific to pdf.js according to the comments.
> Those crash reports are bug 720991.
> 
> *** This bug has been marked as a duplicate of bug 720991 ***

Are you sure? Those crashes don't have an invalid EIP.
For what it's worth, the stack in comment 0 is completely bogus.  Those things just don't call each other.
(Reporter)

Comment 6

6 years ago
(In reply to Boris Zbarsky (:bz) from comment #5)
> For what it's worth, the stack in comment 0 is completely bogus.  Those
> things just don't call each other.

The question still remains: is this exploitable?
Hard to tell, since we have no idea what code is accessing what memory.
Keywords: sec-critical
Whiteboard: [sg:critical]
You need to log in before you can comment on or make changes to this bug.