[31952] in bugtraq
RE: New IE crash: CSS + HTML
daemon@ATHENA.MIT.EDU (Drew Copley)
Fri Oct 3 15:30:17 2003
From: "Drew Copley" <dcopley@eeye.com>
To: <arachnid__notdot_net@meta.net.nz>, <bugtraq@securityfocus.com>
Date: Fri, 3 Oct 2003 10:53:55 -0700
Message-ID: <000001c389d7$509fcdd0$2b02a8c0@dcopley>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: <1065159792.3f7d0c7102496@admin.meta.net.nz>
On Windows 2003, probably other OS, it crashes below:
74809430 add ecx,dword ptr [eax+8]
Where EAX is 00000000, which comes out to mean there is nothing at that
pointer hence the crash.
> -----Original Message-----
> From: arachnid__notdot_net@meta.net.nz
> [mailto:arachnid__notdot_net@meta.net.nz]
> Sent: Thursday, October 02, 2003 10:43 PM
> To: bugtraq@securityfocus.com
> Subject: New IE crash: CSS + HTML
>
>
> While designing a page today, I stumbled across a combination
> of HTML and CSS that causes IE (6.0.2600.0000 on 2k
> v5.00.2195 and 6.0.3790 on 2k3 server v5.2.3790 are the only
> versions tested so far) to crash with a GPF. After a little
> work, I distilled the required code down to this:
>
> -----------------------------------------
> <html>
> <body>
> <style type="text/css">
> #three {
> position: absolute;
> }
> #one #two {
> position: absolute;
> }
> </style>
> <div id="one">
> In 'one'
> <span id="two">
> In 'two'
> </div>
> <div id="three">
> In 'three'
> </div>
> </body>
> -----------------------------------------
>
> A bit of experimentation revealed the following:
> The tag with id "one" can be any tag that is 'display: block'
> by default. The tag with id "two" can be any tag that is
> 'display: inline' by default. The tag with id "three" can be
> any tag at all, including non container tags such as img. The
> tag with id "two" _must_ be left unclosed. The selector must
> be "#one #two", simply selecting on #two does not work.
>
> I'll be the first to admit that this is a bit obscure (though
> I came across it by accident) - it seems to have something to
> do with opening an absolutely positioned block tag after an
> absolutely positioned inline tag wasn't closed properly, but
> is more complicated than that. In windows 2000, it also
> crashed explorer when I clicked on the file in in a file
> dialog (due to the auto-preview).
>
> A brief look at a debugger on the crashed IE instance reveals
> that the address it crashes at is a RET instruction.
>
> I leave it up to people with more talent than I to refine
> when it occurs and why ;).
>
> -Nick Johnson
>
