If EAF (Export Address Filtering) of Windows Defender is enabled for firefox.exe on Windows 10 1903, firefox fails to launch with a popup saying "The application was unable to start correctly (0xc0000005)." After that, the launcher process is automatically disabled via Registry, so firefox will launch without error next time.

The crash is something like this.

(148c.14a4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll!RtlAllocateHeap+0x20:
00007ff9`9903b890 817b10eeddeedd  cmp     dword ptr [rbx+10h],0DDEEDDEEh ds:00000000`00000010=????????
1:004> knL
 # Child-SP          RetAddr           Call Site
00 00000037`37dfbf10 00007ff9`9907753b ntdll!RtlAllocateHeap+0x20
01 00000037`37dfbf50 00007ff7`b1e47911 ntdll!RtlDuplicateUnicodeString+0xab
02 00000037`37dfbfb0 00007ff7`b1e4666d firefox!mozilla::freestanding::LoaderPrivateAPIImp::GetSectionName+0x71
03 00000037`37dfc420 00007ff9`990dae11 firefox!mozilla::freestanding::patched_NtMapViewOfSection+0xdd
04 00000037`37dfc650 00007ff9`990d9782 ntdll!AvrfMiniLoadDll+0x30d
05 00000037`37dfcb90 00007ff9`990d1503 ntdll!AVrfInitializeVerifier+0x9fa
06 00000037`37dfdca0 00007ff9`990d265a ntdll!LdrpInitializeApplicationVerifierPackage+0xff
07 00000037`37dfe160 00007ff9`990d2aa0 ntdll!LdrpInitializeExecutionOptions+0xd5a
08 00000037`37dff4c0 00007ff9`990c1db5 ntdll!LdrpInitializeProcess+0x358
09 00000037`37dff900 00007ff9`99071853 ntdll!_LdrpInitialize+0x50549
0a 00000037`37dff9a0 00007ff9`990717fe ntdll!LdrpInitialize+0x3b
0b 00000037`37dff9d0 00000000`00000000 ntdll!LdrInitializeThunk+0xe

In this stack, the process tried to load verifier.dll. The crash happened because the process heap was not yet initialized when our hooked function patched_NtMapViewOfSection tried to duplicate a string. The process heap would be initialized in ntdll!LdrpInitializeProcess after ntdll!LdrpInitializeExecutionOptions.

The priority flag is not set for this bug.
:aklotz, could you have a look please?

For more information, please visit auto_nag documentation.

patched_NtMapViewOfSection uses the process default heap to copy a string.
However, patched_NtMapViewOfSection can be invoked even before the process
heap is initialized. One example we found is Windows Defender's EAF, with
which "verifier.dll" is loaded before the process heap is initialized.

This patch adds a check whether the heap is initialized or not in
patched_NtMapViewOfSection and NativeNtBlockSet::Add. This also minimizes
the usage of the heap, i.e. not copying a string when we block a dll.

https://hg.mozilla.org/mozilla-central/rev/edafd8d2b8c6