[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: rms at computerbytesman.com (Richard M. Smith)
Subject: IE6 crash bug; call thru unintialized pointer
Hi,
I ran across an IE6 crash bug while developing a JavaScript
debugger. Here's a demo page that shows the problem:
http://www.computerbytesman.com/js/crash/crash.htm
What makes the bug interesting, is that the crash is caused by IE
dereferencing an uninititalized pointer. These dereferences happen in
random places in the code. The most interesting location I saw was in a
CALL instruction.
I don't really have the time to determine if the bug is exploitable to
run code.
The bug may also be present in earlier versions of IE.
This is one of many crash bugs in IE that are present in the fringes of
the IE DOM. All the other bugs that I've found so far are just null
pointer dereferences which I think are harmless.
Richard M. Smith
http://www.ComputerBytesMan.com
PS. On a few machines, the demo must be reload a few times for a crash
to occur.
Powered by blists - more mailing lists