Closed Bug 714187 Opened 14 years ago Closed 13 years ago

NX Crash @ nsXBLService::GetBinding

Categories

(Core :: XBL, defect)

Product:
Core
Component:
XBL
Version:
14 Branch
Platform:
All
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 720991

People

(Reporter: spammaaja, Unassigned)

Details

(Keywords: crash)

Crash Data

bp-5ec5c9ae-4507-4d96-b6ef-88c5f2111229 0 @0xc0335e16 1 xul.dll nsXBLService::GetBinding 2 xul.dll XPCConvert::NativeInterface2JSObject js/xpconnect/src/XPCConvert.cpp:1123 3 xul.dll xul.dll@0x93def 4 xul.dll PresShell::AllocateMisc layout/base/nsPresShell.cpp:1368 5 xul.dll nsRuleNode::ComputeUserInterfaceData layout/style/nsRuleNode.cpp:3573 6 mozutils.dll je_malloc memory/jemalloc/jemalloc.c:6223 7 xul.dll nsACString_internal::Replace xpcom/string/src/nsTSubstring.cpp:487 8 xul.dll xul.dll@0x93def 9 xul.dll nsStandardURL::SetRef netwerk/base/src/nsStandardURL.cpp:2358 10 xul.dll nsStandardURL::SetRef netwerk/base/src/nsStandardURL.cpp:2394 11 msvcr80.dll msvcr80.dll@0x14ed5 12 xul.dll nsStandardURL::EqualsInternal netwerk/base/src/nsStandardURL.cpp:1705 13 xul.dll nsStandardURL::EqualsInternal netwerk/base/src/nsStandardURL.cpp:1707 14 xul.dll nsTHashtable<nsBaseHashtableET<nsURIHashKey,nsRefPtr<nsXBLDocumentInfo> > >::s_MatchEntry obj-firefox/dist/include/nsTHashtable.h:383 15 xul.dll SearchTable obj-firefox/xpcom/build/pldhash.cpp:440 16 xul.dll matchKeyEntry xpcom/ds/nsHashtable.cpp:79 17 xul.dll xul.dll@0x204e3f 18 @0x3 19 @0x80000005 20 mozutils.dll je_malloc memory/jemalloc/jemalloc.c:6223 21 xul.dll nsCSSFrameConstructor::AddFrameConstructionItemsInternal layout/base/nsCSSFrameConstructor.cpp:5075 22 xul.dll nsCSSFrameConstructor::ProcessChildren layout/base/nsCSSFrameConstructor.cpp:9579
Keywords: crash
1dc52b88-ad3e-431b-81dd-378d52120109 According to this report with a similar stack, the user was trying pdf.js. I also remember using pdf.js when this crash happened.
Summary: Crash [@ nsXBLService::GetBinding(nsIContent*, nsIURI*, bool, nsIPrincipal*, bool*, nsXBLBinding**, nsTArray<nsIURI*, nsTArrayDefaultAllocator>&) ] → Crash @ nsXBLService::GetBinding with pdf.js
This NX/DEP access violation still seems to be unfixed. Doesn't seem specific to pdf.js according to the comments. https://crash-stats.mozilla.com/report/index/8dc2c570-8a76-4d5b-951e-57c652120727 https://crash-stats.mozilla.com/report/index/c8064a7d-f7e6-40f4-8922-60ff82120727 https://crash-stats.mozilla.com/report/index/c79ec247-e51c-4f49-83d6-a53852120727
Summary: Crash @ nsXBLService::GetBinding with pdf.js → NX Crash @ nsXBLService::GetBinding
Whiteboard: [sg:critical]
Version: 10 Branch → 14 Branch
Keywords: sec-critical
(In reply to JK from comment #2) > Doesn't seem specific to pdf.js according to the comments. Those crash reports are bug 720991.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
(In reply to Scoobidiver from comment #3) > (In reply to JK from comment #2) > > Doesn't seem specific to pdf.js according to the comments. > Those crash reports are bug 720991. > > *** This bug has been marked as a duplicate of bug 720991 *** Are you sure? Those crashes don't have an invalid EIP.
For what it's worth, the stack in comment 0 is completely bogus. Those things just don't call each other.
(In reply to Boris Zbarsky (:bz) from comment #5) > For what it's worth, the stack in comment 0 is completely bogus. Those > things just don't call each other. The question still remains: is this exploitable?
Hard to tell, since we have no idea what code is accessing what memory.
Keywords: sec-critical
Whiteboard: [sg:critical]
You need to log in before you can comment on or make changes to this bug.