Closed
Bug 647612
Opened 13 years ago
Closed 13 years ago
xul!nsIsIndexFrame::RestoreState+0x39
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 639733
People
(Reporter: javg0x83, Unassigned)
References
Details
Attachments
(1 file)
(deleted),
application/rar
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16 Build Identifier: Firefox/4 -----------------from Readme.txt attached------------------------------ ----------- ADVISORY ----------- - Title: xul!nsIsIndexFrame::RestoreState+0x39 - Tested on: Mozilla Firefox - Affected version (tested): 4 - Unaffected version (tested): 3 (current stable release. 3.6.16) - OS: Windows XP SP3 ----------- ANALYSIS ----------- - First frame in stack frames shows: [FRAME] xul!nsIsIndexFrame::RestoreState+0x39 [e:\builds\moz2_slave\rel-2.0-w32-bld\build\layout\forms\nsisindexframe.cpp @ 565] - C++ code: --------------snip--------------------- NS_IMETHODIMP nsIsIndexFrame::RestoreState(nsPresState* aState) { NS_ENSURE_ARG_POINTER(aState); // Set the value to the stored state. nsCOMPtr<nsISupportsString> stateString (do_QueryInterface(aState->GetStateProperty())); nsAutoString data; <-- (*) DATA IS NULL stateString->GetData(data); <-- (*) DANGEROUS ZONE SetInputValue(data); return NS_OK; } --------------snip--------------------- - Assembly code: -------------------------------------snip--------------------------------------- xul!nsIsIndexFrame::RestoreState: 1062f36f 55 push ebp 1062f370 8d6c2490 lea ebp,[esp-70h] 1062f374 81ec9c000000 sub esp,9Ch 1062f37a a170f2c810 mov eax,dword ptr [xul!__security_cookie (10c8f270)] 1062f37f 33c5 xor eax,ebp 1062f381 89456c mov dword ptr [ebp+6Ch],eax 1062f384 8b457c mov eax,dword ptr [ebp+7Ch] 1062f387 85c0 test eax,eax 1062f389 7507 jne xul!nsIsIndexFrame::RestoreState+0x23 (1062f392) 1062f38b b803400080 mov eax,80004003h 1062f390 eb42 jmp xul!nsIsIndexFrame::RestoreState+0x65 (1062f3d4) 1062f392 ff30 push dword ptr [eax] 1062f394 8d45d4 lea eax,[ebp-2Ch] 1062f397 50 push eax 1062f398 e89720efff call xul!nsCOMPtr<nsISupportsString>::nsCOMPtr<nsISupportsString> (10521434) 1062f39d 8d4dd8 lea ecx,[ebp-28h] 1062f3a0 e8cbe9a3ff call xul!nsAutoString::nsAutoString (1006dd70) 1062f3a5 8b45d4 mov eax,dword ptr [ebp-2Ch] 1062f3a8 8b08 mov ecx,dword ptr [eax] ds:0023:00000000=???????? <-- (*) CRASH 1062f3aa 8d55d8 lea edx,[ebp-28h] 1062f3ad 52 push edx 1062f3ae 50 push eax 1062f3af ff5110 call dword ptr [ecx+10h] <-- (*) DANGEROUS ZONE 1062f3b2 8d45d8 lea eax,[ebp-28h] 1062f3b5 50 push eax 1062f3b6 8b4578 mov eax,dword ptr [ebp+78h] 1062f3b9 83c08c add eax,0FFFFFF8Ch 1062f3bc 50 push eax 1062f3bd e8a20bf3ff call xul!nsIsIndexFrame::SetInputValue (1055ff64) 1062f3c2 8d4dd8 lea ecx,[ebp-28h] 1062f3c5 e816a5a6ff call xul!nsAString_internal::Finalize (100998e0) 1062f3ca 8d4dd4 lea ecx,[ebp-2Ch] 1062f3cd e86ea4adff call xul!nsRefPtr<nsPresContext>::~nsRefPtr<nsPresContext> (10109840) 1062f3d2 33c0 xor eax,eax 1062f3d4 8b4d6c mov ecx,dword ptr [ebp+6Ch] 1062f3d7 33cd xor ecx,ebp 1062f3d9 e822d8d2ff call xul!__security_check_cookie (1035cc00) 1062f3de 83c570 add ebp,70h 1062f3e1 c9 leave 1062f3e2 c20800 ret 8 -------------------------------------snip--------------------------------------- - This seems a null pointer. Marked as security for caution and be in safe side. ------------------ PROOF OF CONCEPT ------------------ - PoC and stackframes/analyze/!exploitable analysis attached. -------- STEPS -------- 1. Go to poc dir and launch poc.pl using IP and Port 2. Connect Firefox 4 to this IP:Port 3. Wait the crash Note: In my tested systems, always it got crashed in first round. --------- CREDITS --------- Jose A. Vazquez of {http://spa-s3c.blogspot.com} Reproducible: Always Steps to Reproduce: 1. Go to poc dir and launch poc.pl using IP and Port 2. Connect Firefox 4 to this IP:Port 3. Wait the crash Actual Results: Crash Expected Results: No crash Complete info attached
Reporter | ||
Comment 1•13 years ago
|
||
Comment 2•13 years ago
|
||
I can reproduce the crash using the attached test on Linux. The patch in bug 639733 fixes it for me, so I'm pretty sure this is the same problem. There are builds for testing that patch at: http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/mpalmgren@mozilla.com-6c51ca33d503/ (Windows builds will be ready in an hour or so)
Depends on: 639733
Reporter | ||
Comment 3•13 years ago
|
||
Tested on build firefox-4.2a1pre.en-US.win32 and it got fixed (OS: Windows XP SP3) Regards, Jose.
Comment 4•13 years ago
|
||
Thanks for verifying that!
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•