Re: Potential overflow in Internet Explorer

[Greg Rice <grice () IASTATE EDU>]

i have been unable to reproduce this on win2k and NT boxes with IE5.5.  has
anyone tried this on WinMe yet?  have you tried manipulating the input to
figure the exact length needed to cause the overflow?

greg

----- Original Message -----
From: <joetesta () HUSHMAIL COM>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Monday, January 29, 2001 10:12 PM
Subject: Potential overflow in Internet Explorer


> Hi all --
>
>
>     While doing some testing on a web server, I discovered that Internet
> Explorer crashes when the following URL is typed in the address bar:
>
>
>         http://www.server.com/[a lot of 'A's]
>
>
> Here is the resulting dump:
>
>
> IEXPLORE caused an invalid page fault in
> module <unknown> at 0000:41414141.
> Registers:
> EAX=00000000 CS=017f EIP=41414141 EFLGS=00010246
> EBX=00000000 SS=0187 ESP=0058568c EBP=41414141
> ECX=0000002e DS=0187 ESI=01eef058 FS=581f
> EDX=004bcd28 ES=0187 EDI=0042b6ac GS=0000
> Bytes at CS:EIP:
>
> Stack dump:
> 41414141 41414141 41414141 41414141
> 41414141 41414141 41414141 41414141
> 41414141 41414141 41414141 41414141
> 41414141 41414141 41414141 41414141
>
>
>     I am using version 5.50.4522.1800 on Win98 SE with all critical
updates
> installed.  I attempted to reproduce this crash on three other machines
> without success.  Their version numbers where:
>
>         5.00.2614.3500,
>         5.50.4134.0100,
>         5.50.4134.0600
>
>     It seems as though this may be some sort of regression error,
> bad mix of software, or both.  Can anyone else reproduce this?
>
>
>         - Joe Testa  ( joetesta () hushmail com )