[Full-Disclosure] IE6 crash bug; call thru unintialized pointer
dotslash at snosoft.com
Mon Jul 7 16:09:49 BST 2003
Instruction at 0x63599ef9 refrenced memory at 0x0000006d memory could
not be read...
Richard M. Smith wrote:
>debugger. Here's a demo page that shows the problem:
>What makes the bug interesting, is that the crash is caused by IE
>dereferencing an uninititalized pointer. These dereferences happen in
>random places in the code. The most interesting location I saw was in a
>I don't really have the time to determine if the bug is exploitable to
>The bug may also be present in earlier versions of IE.
>This is one of many crash bugs in IE that are present in the fringes of
>the IE DOM. All the other bugs that I've found so far are just null
>pointer dereferences which I think are harmless.
>Richard M. Smith
>PS. On a few machines, the demo must be reload a few times for a crash
>Full-Disclosure - We believe in it.
Full-Disclosure is hosted and sponsored by Secunia.