search

LokeshReddySura / dominator

Automatically exported from code.google.com/p/dominator
Other
0 stars 0 forks source link

Null pointer derefence #2

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Browse to aol.com
2. Click the button to scroll to the next story
3. Have ImmunityDebugger ready to go =)

What is the expected output? What do you see instead?
Expect nothing, get crash.

What version of the product are you using? On what operating system?
Windows 7 64-bit.

Please provide any additional information below.

EAX = 08041460 EBX = 09347470 ECX = 00000001 EDX = 00000000 
ESI = 052836F0 EDI = 006225E0 '''EIP = 00000000''' ESP = 001AE8F4 
EBP = 001AE938 EFL = 00010202 

Here's the callstack at time of death. I don't have debug symbols for this 
version of Firefox. Obviously an AC violation @ 0x000....00000.
    00000000()  
    js3250.dll!6ef2d4e1()   
    js3250.dll!6ef2d321()   
    js3250.dll!6ef2d4f5()   
    js3250.dll!6ef2d321()   
    js3250.dll!6ef2d4f5()   
    js3250.dll!6ef2d321()   
    js3250.dll!6ef2d4f5()   
    js3250.dll!6ef2d321()   
    js3250.dll!6ef2d4f5()   
    js3250.dll!6ef2d321()   
    js3250.dll!6ef2d4f5()   
    js3250.dll!6ef2d321()   
    js3250.dll!6ef2d4f5()   
    js3250.dll!6ef2d321()   
    js3250.dll!6ef2d4f5()   
    js3250.dll!6ef2d321()   
    js3250.dll!6ef2d4f5()   
    js3250.dll!6ef2d321()   
    js3250.dll!6ef2d4f5()   
    js3250.dll!6ef2d321()   
    js3250.dll!6ef2d4f5()   
    js3250.dll!6ef2d321()   
    js3250.dll!6ef2d4f5()   
    js3250.dll!6ef2d321()   
    js3250.dll!6ef2d4f5()   
    js3250.dll!6ef2d321()   
    js3250.dll!6ef2d4f5()   
    js3250.dll!6ef2d321()   
    js3250.dll!6ef2d4f5()   
    js3250.dll!6ef2d321()   
    js3250.dll!6ef2d5e3()   
    js3250.dll!6ef3434e()   
    js3250.dll!6eeec497()   
    xul.dll!6932bde9()  
    js3250.dll!6eee5c82()   
    js3250.dll!6eee5e06()   
    js3250.dll!6eeb8107()   
    xul.dll!6954b787()  
    xul.dll!6958b557()  
    xul.dll!698d8082()  
    xul.dll!6999c73f()  
    xul.dll!698a4eec()  
    xul.dll!698a517c()  
    xul.dll!698a52ad()  
    xul.dll!6985ab6d()  
    xul.dll!69782f08()  
    xul.dll!69307216()  
    xul.dll!698c753e()  
    xul.dll!698cf15c()  
    xul.dll!698c37aa()  
    xul.dll!698c6c7f()  
    xul.dll!6985da53()  
    xul.dll!69307a9d()  
    firefox.exe!013e1779()  
    firefox.exe!013e1890()  
    firefox.exe!013e1a7f()  
    kernel32.dll!766733ca()     
    ntdll.dll!772a9ed2()    
    ntdll.dll!772a9ea5()

Original issue reported on code.google.com by arshan.d...@gmail.com on 5 May 2011 at 3:48

GoogleCodeExporter commented 9 years ago 
The top of the call stack looks a bit recursive, if that helps. Do you have 
.pdb files for your FF build? At least for js3250.dll?

Original comment by arshan.d...@gmail.com on 5 May 2011 at 6:13

GoogleCodeExporter commented 9 years ago

Original comment by stefano....@gtempaccount.com on 6 May 2011 at 6:27

GoogleCodeExporter commented 9 years ago 
This is due to a implementation problem when taking reference to a JSString to 
save tainting backtrace. 
There were more issues on this. I should have missed some of these bugs 
somewhere.
I'll dig into it asap.

Thanks.

Original comment by stefano....@gtempaccount.com on 6 May 2011 at 10:46