Closed
Bug 853511
Opened 11 years ago
Closed 11 years ago
xul!DocumentViewerImpl::LoadComplete+0x106 use after free
Categories
(Core :: General, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 840263
People
(Reporter: 41.w4r10r, Unassigned)
Details
(Whiteboard: [sg:dupe 840263])
Attachments
(1 file)
|
3.59 KB,
application/x-rar
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 Safari/537.22 Steps to reproduce: opened attached file fuzz11.html Actual results: Crashed Expected results: should have load successfully
|
Reporter | |
Comment 1•11 years ago
|
||
(1a3c.1448): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=0bd188b0 ecx=00000000 edx=004b021c esi=072d4400 edi=079e6bb0 eip=5bf11196 esp=002cc5d8 ebp=002cc638 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246 *** WARNING: Unable to verify checksum for C:\Program Files (x86)\Mozilla Firefox\xul.dll xul!DocumentViewerImpl::LoadComplete+0x106: 5bf11196 8b11 mov edx,dword ptr [ecx] ds:002b:00000000=???????? 0:000> ub xul!DocumentViewerImpl::LoadComplete+0xe9 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\layout\base\nsdocumentviewer.cpp @ 1023]: 5bf11179 807c241400 cmp byte ptr [esp+14h],0 5bf1117e 0f85e3000000 jne xul!DocumentViewerImpl::LoadComplete+0x1d7 (5bf11267) 5bf11184 8b4f28 mov ecx,dword ptr [edi+28h] 5bf11187 8b11 mov edx,dword ptr [ecx] 5bf11189 8b82dc030000 mov eax,dword ptr [edx+3DCh] 5bf1118f 6a04 push 4 5bf11191 ffd0 call eax 5bf11193 8b4f28 mov ecx,dword ptr [edi+28h] 0:000> u xul!DocumentViewerImpl::LoadComplete+0x106 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\layout\base\nsdocumentviewer.cpp @ 1035]: 5bf11196 8b11 mov edx,dword ptr [ecx] 5bf11198 8b82f4040000 mov eax,dword ptr [edx+4F4h] 5bf1119e ffd0 call eax 5bf111a0 8bf0 mov esi,eax 5bf111a2 85f6 test esi,esi 5bf111a4 744d je xul!DocumentViewerImpl::LoadComplete+0x163 (5bf111f3) 5bf111a6 ff06 inc dword ptr [esi] 5bf111a8 f6869000000001 test byte ptr [esi+90h],1 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** WARNING: Unable to verify checksum for firefox.exe *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\WIDCOMM\Bluetooth Software\SysWOW64\BtMmHook.dll - *** WARNING: Unable to verify checksum for C:\Windows\SysWOW64\igd10umd32.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SysWOW64\igd10umd32.dll - *** ERROR: Module load completed but symbols could not be loaded for C:\PROGRA~2\MICROS~1\Office14\1033\GrooveIntlResource.dll *** ERROR: Module load completed but symbols could not be loaded for C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL - *** WARNING: Unable to verify checksum for C:\Program Files (x86)\Mozilla Firefox\mozjs.dll *** WARNING: Unable to verify checksum for C:\Program Files (x86)\Mozilla Firefox\gkmedias.dll *** WARNING: Unable to verify checksum for C:\Program Files (x86)\Mozilla Firefox\nssckbi.dll *** WARNING: Unable to verify checksum for C:\Program Files (x86)\Mozilla Firefox\mozsqlite3.dll *** WARNING: Unable to verify checksum for C:\Program Files (x86)\Mozilla Firefox\nss3.dll *** WARNING: Unable to verify checksum for C:\Program Files (x86)\Mozilla Firefox\freebl3.dll *** WARNING: Unable to verify checksum for C:\Program Files (x86)\Mozilla Firefox\components\browsercomps.dll *** WARNING: Unable to verify checksum for C:\Program Files (x86)\Mozilla Firefox\softokn3.dll *** WARNING: Unable to verify checksum for C:\Program Files (x86)\Mozilla Firefox\ssl3.dll *** WARNING: Unable to verify checksum for C:\Program Files (x86)\Mozilla Firefox\nspr4.dll *** WARNING: Unable to verify checksum for C:\Program Files (x86)\Mozilla Firefox\mozglue.dll *** WARNING: Unable to verify checksum for C:\Program Files (x86)\Mozilla Firefox\nssutil3.dll *** WARNING: Unable to verify checksum for C:\Program Files (x86)\Mozilla Firefox\xpcom.dll *** WARNING: Unable to verify checksum for C:\Program Files (x86)\Mozilla Firefox\smime3.dll *** WARNING: Unable to verify checksum for C:\Program Files (x86)\Mozilla Firefox\mozalloc.dll *** WARNING: Unable to verify checksum for C:\Program Files (x86)\Mozilla Firefox\plc4.dll *** WARNING: Unable to verify checksum for C:\Program Files (x86)\Mozilla Firefox\plds4.dll *** WARNING: Unable to verify checksum for C:\Program Files (x86)\Mozilla Firefox\nssdbm3.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SysWOW64\slc.dll - ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* FAULTING_IP: xul!DocumentViewerImpl::LoadComplete+106 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\layout\base\nsdocumentviewer.cpp @ 1035] 5bf11196 8b11 mov edx,dword ptr [ecx] EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 5bf11196 (xul!DocumentViewerImpl::LoadComplete+0x00000106) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 00000000 Attempt to read from address 00000000 FAULTING_THREAD: 00001448 PROCESS_NAME: firefox.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 00000000 READ_ADDRESS: 00000000 FOLLOWUP_IP: xul!DocumentViewerImpl::LoadComplete+106 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\layout\base\nsdocumentviewer.cpp @ 1035] 5bf11196 8b11 mov edx,dword ptr [ecx] NTGLOBALFLAG: 470 APPLICATION_VERIFIER_FLAGS: 0 BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_NULL_POINTER_WRITE_NULL_POINTER_READ PRIMARY_PROBLEM_CLASS: INVALID_POINTER_WRITE_NULL_POINTER_WRITE DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE_NULL_POINTER_WRITE LAST_CONTROL_TRANSFER: from 5bf18ca2 to 5bf11196 STACK_TEXT: 002cc638 5bf18ca2 079e6bb0 00000000 072da400 xul!DocumentViewerImpl::LoadComplete+0x106 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\layout\base\nsdocumentviewer.cpp @ 1035] 002cc844 5bf4281d 072da414 079e6b0c 00000000 xul!nsDocShell::EndPageLoad+0x1c2 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\docshell\base\nsdocshell.cpp @ 6524] 002cc910 5bf67dea 072da4d4 072da414 079e6b0c xul!nsDocShell::OnStateChange+0x11d [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\docshell\base\nsdocshell.cpp @ 6345] 002cc950 5c04854f 072da434 072da414 079e6b0c xul!nsDocLoader::DoFireOnStateChange+0x12a [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\uriloader\base\nsdocloader.cpp @ 1302] 002cc9a4 5c0487c8 072da400 079e6b0c 00020010 xul!nsDocLoader::doStopDocumentLoad+0x9f [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\uriloader\base\nsdocloader.cpp @ 885] 002cc9d8 5bf606f4 00000001 06e40a00 00000000 xul!nsDocLoader::DocLoaderIsEmpty+0x1c8 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\uriloader\base\nsdocloader.cpp @ 777] 002cca00 5bf49335 00000000 0c0b3610 00000000 xul!nsDocLoader::OnStopRequest+0x104 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\uriloader\base\nsdocloader.cpp @ 662] 002cca54 5c131615 002cca80 5c086789 06e40a00 xul!nsLoadGroup::RemoveRequest+0x145 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\netwerk\base\src\nsloadgroup.cpp @ 697] 002cca84 5c002bc5 0720d520 00e033e0 00e033d0 xul!nsLoadGroup::QueryInterface+0x14 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\netwerk\base\src\nsloadgroup.cpp @ 176] 002ccb24 5c0e9fa0 00e2d101 2909e01c 00e21280 xul!nsThread::ProcessNextEvent+0x1b5 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\xpcom\threads\nsthread.cpp @ 633] 002ccb5c 5c0e9f48 00000001 5c05ba00 00000000 xul!MessageLoop::RunHandler+0x21 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\ipc\chromium\src\base\message_loop.cc @ 209] 002ccb78 5be7ee19 00e02290 00e54d80 5c0e9ec8 xul!MessageLoop::Run+0x15 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\ipc\chromium\src\base\message_loop.cc @ 183] 002ccb84 5c0e9ec8 00e54d80 00e18300 01180000 xul!nsBaseAppShell::Run+0x34 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\widget\xpwidgets\nsbaseappshell.cpp @ 165] 002cead8 5c12144b 00e54d80 00e18300 5c0b8dad xul!nsAppShell::Run+0x4e [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\widget\windows\nsappshell.cpp @ 229] 002ceae4 5c0b8dad 00e18300 00000000 708310a0 xul!nsAppStartup::Run+0x1e [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\toolkit\components\startup\nsappstartup.cpp @ 291] 002cebbc 5be8d0f0 011832e8 002cebf4 003a3168 xul!XREMain::XRE_mainRun+0x3ed [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\toolkit\xre\nsapprunner.cpp @ 3823] 002cebd4 5c0e07e7 002cebf4 00000001 003a3168 xul!XREMain::XRE_main+0xdf [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\toolkit\xre\nsapprunner.cpp @ 3890] 002cecec 01181742 00000001 003a3168 011832e8 xul!XRE_main+0x30 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\toolkit\xre\nsapprunner.cpp @ 4084] 002cf7c4 01181a64 00000001 003a1388 003a1410 firefox!wmain+0x742 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\toolkit\xre\nswindowswmain.cpp @ 105] 002cf808 754f33aa fffde000 002cf854 772f9ef2 firefox!__tmainCRTStartup+0x122 [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 552] 002cf814 772f9ef2 fffde000 7b3d983a 00000000 kernel32!BaseThreadInitThunk+0xe 002cf854 772f9ec5 01181b85 fffde000 00000000 ntdll!__RtlUserThreadStart+0x70 002cf86c 00000000 01181b85 fffde000 00000000 ntdll!_RtlUserThreadStart+0x1b SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: xul!DocumentViewerImpl::LoadComplete+106 FOLLOWUP_NAME: MachineOwner MODULE_NAME: xul IMAGE_NAME: xul.dll DEBUG_FLR_IMAGE_TIMESTAMP: 5138a0ed STACK_COMMAND: ~0s ; kb FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_NULL_POINTER_WRITE_c0000005_xul.dll!DocumentViewerImpl::LoadComplete BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_NULL_POINTER_WRITE_NULL_POINTER_READ_xul!DocumentViewerImpl::LoadComplete+106 WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/firefox_exe/19_0_2_4814/5138a1d3/xul_dll/19_0_2_4814/5138a0ed/c0000005/000a1196.htm?Retriage=1 Followup: MachineOwner ---------
|
|
Reporter | |
Comment 2•11 years ago
|
||
also triggered on Firefox ESR 17.0.4
|
||
Comment 4•11 years ago
|
||
looks like a null deref from the stack, but we'll know more when we can debug it.
Component: Untriaged → General
Product: Firefox → Core
|
||
Updated•11 years ago
|
Attachment #727762 -
Attachment mime type: application/octet-stream → application/x-rar
|
|
||
Comment 5•11 years ago
|
||
I see the crash in Firefox 19, but not in a current nightly. The fx19 crashes I see are definitely null derefs. This got fixed in bug 840263 as far as I can tell, which is why it's not crashing on trunk.
|
||
Comment 6•11 years ago
|
||
I see what Boris sees. This crashes current 19. Does not crash nightly. If I had an ASan build of 19, I could get a better stack, but that requires making a custom build. Happy to do that, but only if it's needed.
Flags: needinfo?(mwobensmith)
|
|
||
Updated•11 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Flags: sec-bounty-
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 840263]
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•