Bugzilla@Mozilla – Bug 638018
[1.9.2] crash [@ ycc_rgb_convert] on image with src set to a resource with multipart/x-mixed-replace content type
Last modified: 2011-07-12 08:29:54 PDT
Summon comment box
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; fr; rv:1.9.2.14) Gecko/20110218 Firefox/3.6.14 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; fr; rv:1.9.2.14) Gecko/20110218 Firefox/3.6.14 Visiting a webpage that contains multiple images with the src-attribute that refers to a multipart/x-mixed-replace resource , Firefox 3.6.14 on windows crashes after some time with [Access_Violation_Write]. Tested on Windows 7 Reproducible: Always Steps to Reproduce: 1. Visit test page 2. wait a few moments Actual Results: Firefox crashes Expected Results: Firefox don't crash Like bug 610601 , This crash is very intermittent , sometimes firefox will crash after some seconds , and sometimes firefox don't crash at all.
Created attachment 516185 [details] ScreenShot [ACCESS_VIOLATION_WRITE]
https://crash-stats.mozilla.com/report/index/bp-220402bb-ccd7-4f1f-aaa4-57a4d2110217
Jordi, can you reproduce this with a 4.0 beta build? No crash here...
Firefox 4.0 beta build don't crash. But multiple crash report have been sent for 3.6.14. https://crash-stats.mozilla.com/report/index/bp-220402bb-ccd7-4f1f-aaa4-57a4d2110217 https://crash-stats.mozilla.com/report/list?range_value=2&range_unit=weeks&date=2011-03-03%2002%3A00%3A00&signature=ycc_rgb_convert&version=Firefox%3A3.6.14 I will retry with 3.6.14
Mozilla Firefox 3.6.14 crash again. Please try with Mozilla Firefox 3.6.14
(Please try with Mozilla Firefox 3.6.14 on Windows) no tested on Mac OS , linux or Solaris...
Crash-stats for this stack (see comment 4) look scary exploitable. Have not been able to repro myself, but socorro shows there's a real problem here somewhere.
The crash is very intermittent , go to http://81.248.6.194/ and wait .
Yeah, I can repro on Linux64 debug but it takes about 30 minutes each time. GDB tells me this is an optimized image, as in bug 610601. It's hard to debug because of the setjmp/longjmp error handling...
Created attachment 518429 [details] TestCase1 that's the image that crashes mozilla firefox
Not Fixed for 3.6.16?
Let's see if the patch in bug 639303 fixes this.
This doesn't happen _as_much_ in Firefox 4.0, but I do see a couple stacks that are the same as the scary one here. bp-d0989164-0b9d-4543-a379-a3deb2110331 bp-082ded3e-ff20-4260-94ed-fd20b2110330 This is essentially a dupe of bug 557107 but we might as well work on it in this bug that's already appropriately marked and hidden. Also this one links to a testcase that at least the reporter can reproduce with, even if we can't. (In reply to comment #12) > Let's see if the patch in bug 639303 fixes this. That seems to be a completely different stack and a more reproducible case. In any case it's going to be hard to see if bug 639303 fixes this because even Jordi has trouble reproducing this on mozilla-central nightlies.
I will retry with 4.0
The fix in bug 639303 has not landed yet. At this point you'll only be testing how hard it is to reproduce on 4.0.
http://meteoaragon.blogspot.com/ crash sometime more quickly .
bug 639303 landed on 6.0a1 Nightlies last week and in Fx5 ("Aurora") 5/15. Does it still reproduce in a current Aurora build? https://www.mozilla.com/firefox/channel/
Aurora build don't crash. FIXED?
It still crashes on the 1.9.2 branch. Unfortunately the fix for bug 639303 doesn't apply on 1.9.2 or older. Let's use this bug to handle 1.9.2 and older branches and 639303 handle 2.0 and newer.
Fixed for the next release?
mats, we need to get this fixed on 1.9.2 ASAP as we will disclose it when we ship Fx5
I tried to reproduce this for about an hour without any crash occurring. http://81.248.6.194/ - connection times out http://www.sdj-airport.com/live/ - connection times out http://meteoaragon.blogspot.com/ - responds, but is very slow I don't think it's meaningful for me to work on this bug without steps to reproduce that will cause crashes.
(In reply to comment #23) > http://www.sdj-airport.com/live/ - connection times out The Sendai airport was hit by the Japanese tsunami.
I reproduced on Mac: https://crash-stats.mozilla.com/report/index/bp-3716d07f-ae97-417c-8208-3db4a2110610 Loading (had to reload a couple of times to get the image to work): http://meteoaragon.blogspot.com/2009/05/http2bpblogspotcomrvky0yt28sfnmfwqa4iaa.html
Reproduced on XP SP3 with last night's 1.9.2.18pre build within three minutes: https://crash-stats.mozilla.com/report/index/4b3985a5-5917-422d-8f66-2feba2110610 Using http://meteoaragon.blogspot.com
Only thing different Dan and I did was disable the flash plugin to make things not pull in Flash data.
meteoaragon.blogspot.com still crashes for me, takes < 3minutes to cycle through the images and hit the bad one on WinXP bp-76f20d09-4e44-4703-a918-0a4ff2110610 bp-34343f1c-ef08-4d4e-aa17-1a5112110610 bp-3246c590-a19a-46fa-9726-825452110610
I made a testcase that does multipart/x-mixed-replace on an alternating pair of images. You can only hit it from the MV Office VPN, though: http://bsterne.mv.mozilla.com/test/scratch/multipart.php
I haven't observed any crashes with the URL in comment 29, but perhaps the testcase needs to do something more complex than alternate between two images?
This bug qualifies for the security bug bounty
This bug is a duplicate of bug 524921, which we, for unfathomable reasons, thought did not apply to 1.9.2.
I ported the patch from bug 524921 to 1.9.2 (trivial port). http://hg.mozilla.org/releases/mozilla-1.9.2/rev/b55ede4eaf22
Verified for 1.9.2.18 (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18) Gecko/20110613 Firefox/3.6.18). The test page no longer crashes.
Created attachment 539135 [details] Testcase
http://meteoaragon.blogspot.com/2009/05/http2bpblogspotcomrvky0yt28sfnmfwqa4iaa.html is sometime 404 but i have a new testcase ( crash < 1 min )!
what is the CVE id?
No CVE for this Issue? the fix release is for today isn't it?
CVE-2011-2377