corrupted link

[JklojLrnzn () AOL COM (JklojLrnzn () AOL COM)]

Some time ago someone posted a corrupted .lnk which crashes Windows 9x
Shell.dll with a page fault as soon as windows catches sight of it.
We havent exactly found out why that link crashes windows but some debugging
and trying revealed the following:

It is easy to reproduce, just grab any working lnk file and
change the byte at 00004D to 74 and the one at 00004F to E0.

Interestingly quite a lot combinations work, e.g. these ranges will also
work:

00004D 01 - DF
00004F 79 - FF

According to the mail from
u n d e r g r o u n d  s e c u r i t y  s y s t e m s  r e s e a r c h
(http://www.ussrback.com)

the word at 004c contains the size of the whole IDList and
the word at 004e contains the lenght of the first item.

Obviously SHGetpathFromIDList doenst like the first item to be greater than
the whole list, which sounds convincing.
However the lowbyte of both words which are normally nonzero whereas the
highword is equal to zero doesnt matter at all.
The crash only works with sizes greater than 255 even if 004e is greater than
004c.

But (2nd however) if 4f = 4d+1 it wont work but 4f = 4d works.

Furthermore interesting is that apart from these two words and the info
needed to render the file as a valid link nothing more is needed.
Which means that this file is also a working corrupted, however dead link:

0000:   4c 00 00 00 01 14 02 00 00 00 00 00 c0 00 00 00
0010:   00 00 00 46 ff 00 00 00 00 00 00 00 00 00 00 00
0020:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0030:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0040:   00 00 00 00 00 00 00 00 00 00 00 00 00 74 00 e0

Anyone confirm this or comment?

eAX & derDoc