Closed
Bug 767867
Opened 9 years ago
Closed 9 years ago
Crash comctl32.dll@0x185f68 F1398665248_____________________________ F242739041__________________________________ F_935120839__________________________________ NPSWF32_11_3_300_262.dll@0x319a8f
Categories
(External Software Affecting Firefox :: Flash (Adobe), defect)
Tracking
(firefox-esr10-)
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox-esr10 | - | --- |
People
(Reporter: bc, Unassigned)
References
()
Details
(Keywords: crash, sec-vector, Whiteboard: [flash-11.3])
Attachments
(3 files)
1. http://www.stream.cz/video/691242-autosalon-2012-25?utm_source=Seznam&utm_medium=RSS&utm_campaign=Vyber&tab_no=0&position=0 2. Shutdown 3. Crash automation on Aurora on Win7 hit once: comctl32.dll@0x185f68 F1398665248_____________________________ F242739041__________________________________ F_935120839__________________________________ NPSWF32_11_3_300_262.dll@0x319a8f Will attach crash report and output log. Note breakpad's exploitable tool rated this as highly exploitable. Running under windbg was not reliable but could be reproduced on Aurora and Nighty at least but the stacks were unrelated to that reported in automation. The crash involved 0xfeeefeee which is freed heap memory. See attached windbg log. Note !exploitable rated this as probably exploitable
|
Reporter | |
Comment 1•9 years ago
|
||
|
|
Reporter | |
Comment 2•9 years ago
|
||
contains several different crashes for aurora and nightly.
|
|
Reporter | |
Comment 3•9 years ago
|
||
PS. Note you may have to load the site and shutdown multiple times to see the crash.
|
||
Comment 4•9 years ago
|
||
bc, I don't think these necessarily need to be private. In particular, the crash here is in the plugin-container process, and because Flash content doesn't run in this process (in sandbox mode) it would be very difficult to heap smash or do anything else to exploit this crash even when we're jumping off in the weeds. It would probably be useful to collect minidumps or full dumps from the FlashPlayer_*.exe process(es) though, if your automation can do that.
|
||
Updated•9 years ago
|
Keywords: sec-vector
|
||
Updated•9 years ago
|
Whiteboard: [flash-11.3]
|
|
Reporter | |
Comment 7•9 years ago
|
||
Jeromie, if you create an issue for this can you add bclary? thanks.
|
|
Reporter | |
Comment 8•9 years ago
|
||
I have at least one additional crash where I've found eax == 0xfeeefeee but it isn't clear to me if it is the same as this bug. I noticed the dump tar balls were downloaded by Adobe yesterday evening. Were they helpful at all? Is it worth creating new ones? Is there something else I can do to help?
|
|
||
Updated•9 years ago
|
Blocks: F1398665248
|
|
Reporter | |
Comment 9•9 years ago
|
||
This F1398665248 is not reproducible since 2012-07-11 which is when I started testing '265. -> fixed.
Status: NEW → RESOLVED
Closed: 9 years ago
Component: Plug-ins → Flash (Adobe)
Product: Core → Plugins
Resolution: --- → FIXED
Version: Trunk → 11.x
|
|
||
Updated•9 years ago
|
tracking-firefox-esr10:
--- → -
|
||
Updated•6 years ago
|
Group: core-security → core-security-release
|
|
||
Comment 10•5 years ago
|
||
Version and milestone values are being reset to defaults as part of product refactoring.
Version: 11.x → unspecified
|
|
||
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•