Closed Bug 767867 Opened 9 years ago Closed 9 years ago

Crash comctl32.dll@0x185f68 F1398665248_____________________________ F242739041__________________________________ F_935120839__________________________________ NPSWF32_11_3_300_262.dll@0x319a8f

Categories

(External Software Affecting Firefox :: Flash (Adobe), defect)

x86
Windows 7
defect
Not set
critical

Tracking

(firefox-esr10-)

RESOLVED FIXED
Tracking Status
firefox-esr10 - ---

People

(Reporter: bc, Unassigned)

References

()

Details

(Keywords: crash, sec-vector, Whiteboard: [flash-11.3])

Attachments

(3 files)

Attached file aurora log
1. http://www.stream.cz/video/691242-autosalon-2012-25?utm_source=Seznam&utm_medium=RSS&utm_campaign=Vyber&tab_no=0&position=0

2. Shutdown

3. Crash automation on Aurora on Win7 hit once:

comctl32.dll@0x185f68
F1398665248_____________________________ F242739041__________________________________ F_935120839__________________________________ NPSWF32_11_3_300_262.dll@0x319a8f

Will attach crash report and output log. Note breakpad's exploitable tool rated this as highly exploitable.

Running under windbg was not reliable but could be reproduced on Aurora and Nighty at least but the stacks were unrelated to that reported in automation. The crash involved 0xfeeefeee which is freed heap memory. See attached windbg log. Note !exploitable rated this as probably exploitable
Attached file aurora crash report
Attached file windbg output
contains several different crashes for aurora and nightly.
PS. Note you may have to load the site and shutdown multiple times to see the crash.
bc, I don't think these necessarily need to be private. In particular, the crash here is in the plugin-container process, and because Flash content doesn't run in this process (in sandbox mode) it would be very difficult to heap smash or do anything else to exploit this crash even when we're jumping off in the weeds. It would probably be useful to collect minidumps or full dumps from the FlashPlayer_*.exe process(es) though, if your automation can do that.
Keywords: sec-vector
Whiteboard: [flash-11.3]
Jeromie, if you create an issue for this can you add bclary? thanks.
I have at least one additional crash where I've found eax == 0xfeeefeee but it isn't clear to me if it is the same as this bug.

I noticed the dump tar balls were downloaded by Adobe yesterday evening. Were they helpful at all? Is it worth creating new ones? Is there something else I can do to help?
Blocks: F1398665248
This F1398665248 is not reproducible since 2012-07-11 which is when I started testing '265.

-> fixed.
Status: NEW → RESOLVED
Closed: 9 years ago
Component: Plug-ins → Flash (Adobe)
Product: Core → Plugins
Resolution: --- → FIXED
Version: Trunk → 11.x
Group: core-security → core-security-release
Version and milestone values are being reset to defaults as part of product refactoring.
Version: 11.x → unspecified
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.