Bugtraq mailing list archives
RE: New IE crash: CSS + HTML
From: "Robert Ahnemann" <rahnemann () affinity-mortgage com>
Date: Fri, 3 Oct 2003 13:43:34 -0500
Cutting and pasting that into a simple HTML file gets IE to crash as soon as its opened. IE version: 6.0.2800.1106
-----Original Message----- From: arachnid__notdot_net () meta net nz [mailto:arachnid__notdot_net () meta net nz] Sent: Friday, October 03, 2003 12:43 AM To: bugtraq () securityfocus com Subject: New IE crash: CSS + HTML While designing a page today, I stumbled across a combination of HTML
and
CSS that causes IE (6.0.2600.0000 on 2k v5.00.2195 and 6.0.3790 on 2k3
server
v5.2.3790 are the only versions tested so far) to crash with a GPF.
After
a
little work, I distilled the required code down to this:
-----------------------------------------
<html>
<body>
<style type="text/css">
#three {
position: absolute;
}
#one #two {
position: absolute;
}
</style>
<div id="one">
In 'one'
<span id="two">
In 'two'
</div>
<div id="three">
In 'three'
</div>
</body>
-----------------------------------------
A bit of experimentation revealed the following:
The tag with id "one" can be any tag that is 'display: block' by
default.
The tag with id "two" can be any tag that is 'display: inline' by
default.
The tag with id "three" can be any tag at all, including non container tags such as img. The tag with id "two" _must_ be left unclosed. The selector must be "#one #two", simply selecting on #two does not
work.
I'll be the first to admit that this is a bit obscure (though I came across it by accident) - it seems to have something to do with opening an
absolutely
positioned block tag after an absolutely positioned inline tag wasn't closed properly, but is more complicated than that. In windows 2000, it also crashed explorer when I clicked on the file
in in
a file dialog (due to the auto-preview). A brief look at a debugger on the crashed IE instance reveals that the address it crashes at is a RET instruction. I leave it up to people with more talent than I to refine when it
occurs
and why ;). -Nick Johnson
Current thread:
- New IE crash: CSS + HTML arachnid__notdot_net (Oct 03)
- RE: New IE crash: CSS + HTML Brian Paulson (Oct 03)
- RE: New IE crash: CSS + HTML Russ Uhte (Lists) (Oct 03)
- RE: New IE crash: CSS + HTML Drew Copley (Oct 03)
- <Possible follow-ups>
- RE: New IE crash: CSS + HTML Robert Ahnemann (Oct 03)
- Re: New IE crash: CSS + HTML Sherlock (Oct 04)
- Vulnerabilities in Easy File Sharing Web Server (1.2 NEW). nimber (Oct 06)
- RE: New IE crash: CSS + HTML Paul Szabo (Oct 06)
- RE: New IE crash: CSS + HTML Brian Paulson (Oct 03)