[Full-Disclosure] IE6 crash bug; call thru unintialized pointer
KF
dotslash at snosoft.com
Mon Jul 7 16:09:49 BST 2003
Crashes mine...
Instruction at 0x63599ef9 refrenced memory at 0x0000006d memory could
not be read...
IE 6.0.2800.1106.xpsp2-030422-1633
-KF
Richard M. Smith wrote:
>Hi,
>
>I ran across an IE6 crash bug while developing a JavaScript
>debugger. Here's a demo page that shows the problem:
>
>http://www.computerbytesman.com/js/crash/crash.htm
>
>What makes the bug interesting, is that the crash is caused by IE
>dereferencing an uninititalized pointer. These dereferences happen in
>random places in the code. The most interesting location I saw was in a
>CALL instruction.
>
>I don't really have the time to determine if the bug is exploitable to
>run code.
>
>The bug may also be present in earlier versions of IE.
>
>This is one of many crash bugs in IE that are present in the fringes of
>the IE DOM. All the other bugs that I've found so far are just null
>pointer dereferences which I think are harmless.
>
>Richard M. Smith
>http://www.ComputerBytesMan.com
>
>PS. On a few machines, the demo must be reload a few times for a crash
>to occur.
>
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
Full-Disclosure is hosted and sponsored by Secunia.