[Bug 34021] IE8 crashes badly when navigating to www.microsoft.com
wine-bugs at winehq.org
wine-bugs at winehq.org
Thu Feb 27 12:07:25 CST 2014
https://bugs.winehq.org/show_bug.cgi?id=34021
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |focht at gmx.net
--- Comment #3 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
confirming.
You don't even need IE8 install for that, just visit 'www.microsoft.com' with
builtin.
Looks like a classic buffer overflow to me (overly long jscript URI):
--- snip ---
$ wine ~/.wine/drive_c/Program\ Files/Internet\ Explorer/iexplore.exe
www.microsoft.com
...
004a:trace:wininet:urlcache_encode_url
L"http://ots.optimize.webtrends.com/ots/ots/js-3.2/311121/WT3AAAAgA1FsrAAAACAAAAAgOISFTcAAACAAAAAgAAAAIDNv11EAAAAgNLJFlkF63euiS_AthR5uVKFQm-fFgTu5AueLOGvXlYLyeSxDQAAAIAAAACAAAAAgAAAAIDeW0M4AAAAgAAAAIAAAACA_pgXxkRkzp4AAACAAAAAgIpJMYkAAACAjj1LuAAAAIAAAACACs8HQPweatMWz1B7qxCj8QAAAICaCbmgAAAAgPXnDHYXLVxiZ1"...
...
004a:trace:wininet:InternetCrackUrlW
(L"http://ots.optimize.webtrends.com/ots/ots/js-3.2/311121/WT3AAAAgA1FsrAAAACAAAAAgOISFTcAAACAAAAAgAAAAIDNv11EAAAAgNLJFlkF63euiS_AthR5uVKFQm-fFgTu5AueLOGvXlYLyeSxDQAAAIAAAACAAAAAgAAAAIDeW0M4AAAAgAAAAIAAAACA_pgXxkRkzp4AAACAAAAAgIpJMYkAAACAjj1LuAAAAIAAAACACs8HQPweatMWz1B7qxCj8QAAAICaCbmgAAAAgPXnDHYXLVxiZ1"...
0 0 0x53cc434)
...
004a:trace:wininet:InternetCrackUrlA
"http://ots.optimize.webtrends.com/ots/ots/js-3.2/311121/WT3AAAAgA1FsrAAAACAAAAAgOISFTcAAACAAAAAgAAAAIDNv11EAAAAgNLJFlkF63euiS_AthR5uVKFQm-fFgTu5AueLOGvXlYLyeSxDQAAAIAAAACAAAAAgAAAAIDeW0M4AAAAgAAAAIAAAACA_pgXxkRkzp4AAACAAAAAgIpJMYkAAACAjj1LuAAAAIAAAACACs8HQPweatMWz1B7qxCj8QAAAICaCbmgAAAAgPXnDHYXLVxiZ1"...:
scheme((null)) host((null))
path("/ots/ots/js-3.2/311121/WT3AAAAgA1FsrAAAACAAAAAgOISFTcAAACAAAAAgAAAAIDNv11EAAAAgNLJFlkF63euiS_AthR5uVKFQm-fFgTu5AueLOGvXlYLyeSxDQAAAIAAAACAAAAAgAAAAIDeW0M4AAAAgAAAAIAAAACA_pgXxkRkzp4AAACAAAAAgIpJMYkAAACAjj1LuAAAAIAAAACACs8HQPweatMWz1B7qxCj8QAAAICaCbmgAAAAgPXnDHYXLVxiZ1CdBKeYyi0AAACAAAAAgAAAAIAAAACAAAA"...)
extra((null))
004a:Call ntdll.RtlFreeHeap(00110000,00000000,068c2e40) ret=7e301ff0
004a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0
004a:Call ntdll.RtlFreeHeap(00110000,00000000,00000000) ret=7e301ff0
004a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0
004a:Call ntdll.RtlFreeHeap(00110000,00000000,00000000) ret=7e301ff0
004a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0
004a:Call ntdll.RtlFreeHeap(00110000,00000000,00000000) ret=7e301ff0
004a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0
004a:Call ntdll.RtlFreeHeap(00110000,00000000,00000000) ret=7e301ff0
004a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0
004a:Call ntdll.RtlFreeHeap(00110000,00000000,00000000) ret=7e301ff0
004a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0
004a:Call ntdll.RtlFreeHeap(00110000,00000000,00000000) ret=7e301ff0
004a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0
004a:trace:seh:raise_exception code=c0000005 flags=0 addr=0xf749afc6
ip=f749afc6 tid=004a
004a:trace:seh:raise_exception info[0]=00000000
004a:trace:seh:raise_exception info[1]=754f6d64
004a:trace:seh:raise_exception eax=00000000 ebx=f77b9000 ecx=00000024
edx=754f6d64 esi=f77ac3b5 edi=754f6d64
004a:trace:seh:raise_exception ebp=053cbf58 esp=053cbf24 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210283
--- snip ---
--- snip ---
...
=>0 0x7e31732c urlcache_entry_create+0x1dd(url=*** invalid address 0x754f6d64
***, ext=*** invalid address 0x4e644a77 ***, full_path=*** invalid address
0x41414167 ***)
[/home/focht/projects/wine/wine.repo/src/dlls/wininet/urlcache.c:2661] in
wininet (0x0186c4c8)
0x7e31732c urlcache_entry_create+0x1dd
[/home/focht/projects/wine/wine.repo/src/dlls/wininet/urlcache.c:2661] in
wininet: movb $0x0,0xfffffe88(%ebp,%eax,1)
2661 file_name[e-p] = 0;
...
Wine-dbg>info locals
0x7e31732c urlcache_entry_create+0x1dd: (0186c4c8)
char* url=*** invalid address 0x754f6d64 *** (parameter [EBP+8])
char* ext=*** invalid address 0x4e644a77 *** (parameter [EBP+12])
WCHAR* full_path=*** invalid address 0x41414167 *** (parameter [EBP+16])
cache_container* container=0x67414141 (local [EBP-116])
urlcache_header* header=0x41414141 (local [EBP-64])
char --none--[260] file_name="??..." (local [EBP-376])
WCHAR --none--[260] extW={ ... }
BYTE cache_dir='K' (local [EBP-9])
LONG full_path_len=0x7e332000 (local [EBP-900])
BOOL generate_name=0x6e4a3163 (local [EBP-16])
DWORD error=0x59534249 (local [EBP-60])
HANDLE file=0x67414141 (local [EBP-84])
FILETIME ft={dwLowDateTime=0x7ffdf000, dwHighDateTime=0x3a} (local
[EBP-908])
URL_COMPONENTSA uc={dwStructSize=0x3c, lpszScheme=0x0(nil),
dwSchemeLength=0, nScheme=INTERNET_SCHEME_HTTP, lpszHostName=0x0(nil),
dwHostNameLength=0, nPort=0x50, lpszUserName=0x0(nil), dwUserNameLength=0,
lpszPassword=0x0(nil), dwPasswordLength=0,
lpszUrlPath="/ots/ots/js-3.2/311121/WT34_YlVgAAAIAAAACAAAAAgOISFTcAAACAAAAAgAAAAIDNv11EAAAAgNLJFlkF63euiS_AthR5uVKFQm-fFgTu5AueLOGvXlYLyeSxDQAAAIAAAACAAAAAgAAAAIDeW0M4AAAAgAAAAIAAAACA_pgXxkRkzp4AAACAAAAAgIpJMYkAAACAjj1LuAAAAIAAAACACs8HQPweatMWz1B7qxCj8QAAAICaCbmgAAAAgPXnDHYXLVxiZ1CdBKeYyi0AAACAAAAAgAAAAIAAAACAAAAAgIhIhm4AAACAAAAAgLesOJP0xZK8AAAAgAAAAIBSYgEufY02RClpEpguMDgyAAAAgAAAAIAAAACAFi9Yvc1Jn5bfKYotAAAAgAAAAIDMzdmOuwJdNgAAAIAAAACAAAAAgGt4p68AAACAAAAAgAAAAIAGEuJOAAAAgDT88Qph1iZjAAAAgAAAAIAAAACAwekvMllRApWPMkafAAAAgGlpFwoAAACA2ae0vOA6CMwAAACAAAAAgAAAAIA5Crrj9yQOlAAAAIChdS83Hun-FLZreKpYzh1WAAAAgAAAAIAAAACAAAAAgKNnaMAAAACAAAAAgAAAAIAAAACAAAAAgK6wit6ZbT5YADjM7PZ9HAwAAACAAAAAgAAAAIDSLxBzAAAAgAAAAIAAAACAAAAAgCFr9bLnZZhrsoW9flhoZJOTBp2opVM2jAAAAIAAAACAiib0WXNnZtxbyXH-AAAAgAAAAIAAAACAAAAAgAAAAIB8HVjhAAAAgAAAAIDS7S44JiGQeQAAAICertkUAAAAgAAAAICaHYGrAAAAgAAAAIAAAACALgPnYAAAAIBtVpJNAAAAgJmBep8AAACAAAAAgAQ6EPMAAACAAAAAgAAAAIAAAACAAAAAgAAAAIDGDv_8AAAAgAAAAIAAAACA4mBgxyJZXp7vAmZI2x8Gf65I8BVu9zQkAAAAgAAAAIAAAACAEiqh5pN_e_gAAACAzAlu5",
dwUrlPathLength=0x666, lpszExtraInfo=0x0(nil), dwExtraInfoLength=0} (local
[EBP-968])
int i=0x76593969 (local [EBP-20])
char* p=*** invalid address 0x46414341 *** (local [EBP-24])
char* e=*** invalid address 0x41414149 *** (local [EBP-28])
--- snip --
$ wine --version
wine-1.7.13-100-gfcae016
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list