Closed Bug 767867 Opened 9 years ago Closed 9 years ago
.dll@0x185f68 F1398665248 _____________________________ F242739041 __________________________________ F _935120839 __________________________________ NPSWF32 _11 _3 _300 _262 .dll@0x319a8f
1. http://www.stream.cz/video/691242-autosalon-2012-25?utm_source=Seznam&utm_medium=RSS&utm_campaign=Vyber&tab_no=0&position=0 2. Shutdown 3. Crash automation on Aurora on Win7 hit once: comctl32.dll@0x185f68 F1398665248_____________________________ F242739041__________________________________ F_935120839__________________________________ NPSWF32_11_3_300_262.dll@0x319a8f Will attach crash report and output log. Note breakpad's exploitable tool rated this as highly exploitable. Running under windbg was not reliable but could be reproduced on Aurora and Nighty at least but the stacks were unrelated to that reported in automation. The crash involved 0xfeeefeee which is freed heap memory. See attached windbg log. Note !exploitable rated this as probably exploitable
contains several different crashes for aurora and nightly.
PS. Note you may have to load the site and shutdown multiple times to see the crash.
bc, I don't think these necessarily need to be private. In particular, the crash here is in the plugin-container process, and because Flash content doesn't run in this process (in sandbox mode) it would be very difficult to heap smash or do anything else to exploit this crash even when we're jumping off in the weeds. It would probably be useful to collect minidumps or full dumps from the FlashPlayer_*.exe process(es) though, if your automation can do that.
Jeromie, if you create an issue for this can you add bclary? thanks.
I have at least one additional crash where I've found eax == 0xfeeefeee but it isn't clear to me if it is the same as this bug. I noticed the dump tar balls were downloaded by Adobe yesterday evening. Were they helpful at all? Is it worth creating new ones? Is there something else I can do to help?
This F1398665248 is not reproducible since 2012-07-11 which is when I started testing '265. -> fixed.
Status: NEW → RESOLVED
Closed: 9 years ago
Component: Plug-ins → Flash (Adobe)
Product: Core → Plugins
Resolution: --- → FIXED
Version: Trunk → 11.x
Version and milestone values are being reset to defaults as part of product refactoring.
Version: 11.x → unspecified
You need to log in before you can comment on or make changes to this bug.