Bugtraq mailing list archives
RE: New IE crash: CSS + HTML
From: "Drew Copley" <dcopley () eeye com>
Date: Fri, 3 Oct 2003 10:53:55 -0700
On Windows 2003, probably other OS, it crashes below: 74809430 add ecx,dword ptr [eax+8] Where EAX is 00000000, which comes out to mean there is nothing at that pointer hence the crash.
-----Original Message----- From: arachnid__notdot_net () meta net nz [mailto:arachnid__notdot_net () meta net nz] Sent: Thursday, October 02, 2003 10:43 PM To: bugtraq () securityfocus com Subject: New IE crash: CSS + HTML While designing a page today, I stumbled across a combination of HTML and CSS that causes IE (6.0.2600.0000 on 2k v5.00.2195 and 6.0.3790 on 2k3 server v5.2.3790 are the only versions tested so far) to crash with a GPF. After a little work, I distilled the required code down to this: ----------------------------------------- <html> <body> <style type="text/css"> #three { position: absolute; } #one #two { position: absolute; } </style> <div id="one"> In 'one' <span id="two"> In 'two' </div> <div id="three"> In 'three' </div> </body> ----------------------------------------- A bit of experimentation revealed the following: The tag with id "one" can be any tag that is 'display: block' by default. The tag with id "two" can be any tag that is 'display: inline' by default. The tag with id "three" can be any tag at all, including non container tags such as img. The tag with id "two" _must_ be left unclosed. The selector must be "#one #two", simply selecting on #two does not work. I'll be the first to admit that this is a bit obscure (though I came across it by accident) - it seems to have something to do with opening an absolutely positioned block tag after an absolutely positioned inline tag wasn't closed properly, but is more complicated than that. In windows 2000, it also crashed explorer when I clicked on the file in in a file dialog (due to the auto-preview). A brief look at a debugger on the crashed IE instance reveals that the address it crashes at is a RET instruction. I leave it up to people with more talent than I to refine when it occurs and why ;). -Nick Johnson
Current thread:
- New IE crash: CSS + HTML arachnid__notdot_net (Oct 03)
- RE: New IE crash: CSS + HTML Brian Paulson (Oct 03)
- RE: New IE crash: CSS + HTML Russ Uhte (Lists) (Oct 03)
- RE: New IE crash: CSS + HTML Drew Copley (Oct 03)
- <Possible follow-ups>
- RE: New IE crash: CSS + HTML Robert Ahnemann (Oct 03)
- Re: New IE crash: CSS + HTML Sherlock (Oct 04)
- Vulnerabilities in Easy File Sharing Web Server (1.2 NEW). nimber (Oct 06)
- RE: New IE crash: CSS + HTML Paul Szabo (Oct 06)
- RE: New IE crash: CSS + HTML Brian Paulson (Oct 03)