[32132] in bugtraq
Re: IE6 CSS-Crash
daemon@ATHENA.MIT.EDU (xenophi1e)
Wed Oct 22 15:26:46 2003
Date: 22 Oct 2003 18:10:54 -0000
Message-ID: <20031022181054.17016.qmail@sf-www2-symnsj.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: xenophi1e <oliver.lavery@sympatico.ca>
To: bugtraq@securityfocus.com
In-Reply-To: <1066826686.3696.32.camel@falcon>
>Hi,
>the following HTML/JS/CSS-Code crashes IE6 immediately through a
>combination of:
>1. textarea in table in div
>2. css:overflow-y:hidden
>3. changing the scrollbar-base-color
>4. moving the div
This looks like a benign crash to me. On my system IE is tanking in MSHTML.dll at 0x6360CD44 while dereferencing a null pointer (or a 0x22 pointer, to be precise).
6360CD38 mov dword ptr [esi+9Ch],eax
6360CD3E mov dword ptr [esi+90h],eax
>6360CD44 cmp byte ptr [edi+22h],0 ; edi = 0
6360CD48 jne 6360CDDE
6360CD4E cmp byte ptr [edi+23h],0
Stack:
> MSHTML.DLL!6360cd44()
MSHTML.DLL!636199e3()
MSHTML.DLL!6360b569()
MSHTML.DLL!6360ba22()
MSHTML.DLL!636ff83b()
Maybe I'm missing something, but it seems pretty run-of-the-mill.
Cheers,
~ol
