Closed Bug 830386 Opened 13 years ago Closed 9 years ago

crash [@ D3DXShader::CConstantTable::FindConstantByName(char const*, D3DXShader::CConstant**) ]

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Platform:
x86_64
Windows 8
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: vlad, Assigned: bas.schouten)

References

Details

(Keywords: sec-moderate)

I got this crash: https://crash-stats.mozilla.com/report/index/bp-38633ead-df66-4812-b853-876c32130114 when going to http://cl3ver.com/ and clicking on the car at the bottom. I didn't get it the second time around and haven't been able to reproduce it, but it looks worrysome. I don't know if it's a bug in d3dx, but I'd guess it's more likely to be an ANGLE bug?
Not sure we can do much here if we cant repro... the exploitability of that specific crash looks low but that doesn't mean a variant couldn't do worse things. Hard to say if this is in Windows, ANGLE, or our code, maybe bjacob will have a better guess.
Hard to tell from this stack whether the bug is in ANGLE or in Direct3D: the Direct3D method called here takes two pointer arguments, so if these arguments are bad, it could crash without being at fault. http://msdn.microsoft.com/en-us/library/windows/desktop/bb205767%28v=vs.85%29.aspx We could know more by reproducing in a debugger...
Hah, actually the crash line is http://hg.mozilla.org/mozilla-central/annotate/a812ef63de87/gfx/angle/src/libGLESv2/ProgramBinary.cpp#l2045 (Note: the crash report's link fails because of bad capitalization in the path) Here we can see that the pointers are the addresses of local stack variables, and no cast is involved, so they can't be bad pointers --- so it had got to be a bug in the Direct3D SDK DLL, d3dx9. In that case, it should go away with the currently-worked-on-by-jgilbert ANGLE update (bug 801158), as the new ANGLE doesn't use D3DX9 anymore.
Depends on: 801158
Can we get a sec rating here?
There doesn't appear to be a chase of writing into a random place, so I don't think is higher than sec-moderate, and most likely sec-low, but, Benoit, please change it if you think it's higher (or lower).
Keywords: sec-moderate
We've had one new ANGLE, and we're likely getting another in the next couple of days, so this may have gone away. Vlad, have you been able to reproduce this more recently?
Assignee: nobody → bas
Group: core-security → gfx-core-security
I don't think there's any point in leaving open an old sec-moderate bug that isn't reproducable.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INCOMPLETE
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.