[Bug 34021] IE8 crashes badly when navigating to www.microsoft.com

wine-bugs at winehq.org wine-bugs at winehq.org
Thu Feb 27 12:07:25 CST 2014 

https://bugs.winehq.org/show_bug.cgi?id=34021

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |focht at gmx.net

--- Comment #3 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

confirming.

You don't even need IE8 install for that, just visit 'www.microsoft.com' with
builtin.

Looks like a classic buffer overflow to me (overly long jscript URI):

--- snip ---
$ wine ~/.wine/drive_c/Program\ Files/Internet\ Explorer/iexplore.exe
www.microsoft.com
...
004a:trace:wininet:urlcache_encode_url
L"http://ots.optimize.webtrends.com/ots/ots/js-3.2/311121/WT3AAAAgA1FsrAAAACAAAAAgOISFTcAAACAAAAAgAAAAIDNv11EAAAAgNLJFlkF63euiS_AthR5uVKFQm-fFgTu5AueLOGvXlYLyeSxDQAAAIAAAACAAAAAgAAAAIDeW0M4AAAAgAAAAIAAAACA_pgXxkRkzp4AAACAAAAAgIpJMYkAAACAjj1LuAAAAIAAAACACs8HQPweatMWz1B7qxCj8QAAAICaCbmgAAAAgPXnDHYXLVxiZ1"...
...
004a:trace:wininet:InternetCrackUrlW
(L"http://ots.optimize.webtrends.com/ots/ots/js-3.2/311121/WT3AAAAgA1FsrAAAACAAAAAgOISFTcAAACAAAAAgAAAAIDNv11EAAAAgNLJFlkF63euiS_AthR5uVKFQm-fFgTu5AueLOGvXlYLyeSxDQAAAIAAAACAAAAAgAAAAIDeW0M4AAAAgAAAAIAAAACA_pgXxkRkzp4AAACAAAAAgIpJMYkAAACAjj1LuAAAAIAAAACACs8HQPweatMWz1B7qxCj8QAAAICaCbmgAAAAgPXnDHYXLVxiZ1"...
0 0 0x53cc434)
...
004a:trace:wininet:InternetCrackUrlA
"http://ots.optimize.webtrends.com/ots/ots/js-3.2/311121/WT3AAAAgA1FsrAAAACAAAAAgOISFTcAAACAAAAAgAAAAIDNv11EAAAAgNLJFlkF63euiS_AthR5uVKFQm-fFgTu5AueLOGvXlYLyeSxDQAAAIAAAACAAAAAgAAAAIDeW0M4AAAAgAAAAIAAAACA_pgXxkRkzp4AAACAAAAAgIpJMYkAAACAjj1LuAAAAIAAAACACs8HQPweatMWz1B7qxCj8QAAAICaCbmgAAAAgPXnDHYXLVxiZ1"...:
scheme((null)) host((null))
path("/ots/ots/js-3.2/311121/WT3AAAAgA1FsrAAAACAAAAAgOISFTcAAACAAAAAgAAAAIDNv11EAAAAgNLJFlkF63euiS_AthR5uVKFQm-fFgTu5AueLOGvXlYLyeSxDQAAAIAAAACAAAAAgAAAAIDeW0M4AAAAgAAAAIAAAACA_pgXxkRkzp4AAACAAAAAgIpJMYkAAACAjj1LuAAAAIAAAACACs8HQPweatMWz1B7qxCj8QAAAICaCbmgAAAAgPXnDHYXLVxiZ1CdBKeYyi0AAACAAAAAgAAAAIAAAACAAAA"...)
extra((null))
004a:Call ntdll.RtlFreeHeap(00110000,00000000,068c2e40) ret=7e301ff0
004a:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0
004a:Call ntdll.RtlFreeHeap(00110000,00000000,00000000) ret=7e301ff0
004a:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0
004a:Call ntdll.RtlFreeHeap(00110000,00000000,00000000) ret=7e301ff0
004a:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0
004a:Call ntdll.RtlFreeHeap(00110000,00000000,00000000) ret=7e301ff0
004a:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0
004a:Call ntdll.RtlFreeHeap(00110000,00000000,00000000) ret=7e301ff0
004a:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0
004a:Call ntdll.RtlFreeHeap(00110000,00000000,00000000) ret=7e301ff0
004a:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0
004a:Call ntdll.RtlFreeHeap(00110000,00000000,00000000) ret=7e301ff0
004a:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0
004a:trace:seh:raise_exception code=c0000005 flags=0 addr=0xf749afc6
ip=f749afc6 tid=004a
004a:trace:seh:raise_exception  info[0]=00000000
004a:trace:seh:raise_exception  info[1]=754f6d64
004a:trace:seh:raise_exception  eax=00000000 ebx=f77b9000 ecx=00000024
edx=754f6d64 esi=f77ac3b5 edi=754f6d64
004a:trace:seh:raise_exception  ebp=053cbf58 esp=053cbf24 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210283
--- snip ---

--- snip ---
...
=>0 0x7e31732c urlcache_entry_create+0x1dd(url=*** invalid address 0x754f6d64
***, ext=*** invalid address 0x4e644a77 ***, full_path=*** invalid address
0x41414167 ***)
[/home/focht/projects/wine/wine.repo/src/dlls/wininet/urlcache.c:2661] in
wininet (0x0186c4c8)
0x7e31732c urlcache_entry_create+0x1dd
[/home/focht/projects/wine/wine.repo/src/dlls/wininet/urlcache.c:2661] in
wininet: movb    $0x0,0xfffffe88(%ebp,%eax,1)
2661            file_name[e-p] = 0;
...
Wine-dbg>info locals

0x7e31732c urlcache_entry_create+0x1dd: (0186c4c8)
    char* url=*** invalid address 0x754f6d64 *** (parameter [EBP+8])
    char* ext=*** invalid address 0x4e644a77 *** (parameter [EBP+12])
    WCHAR* full_path=*** invalid address 0x41414167 *** (parameter [EBP+16])
    cache_container* container=0x67414141 (local [EBP-116])
    urlcache_header* header=0x41414141 (local [EBP-64])
    char --none--[260] file_name="??..." (local [EBP-376])
    WCHAR --none--[260] extW={ ... }
    BYTE cache_dir='K' (local [EBP-9])
    LONG full_path_len=0x7e332000 (local [EBP-900])
    BOOL generate_name=0x6e4a3163 (local [EBP-16])
    DWORD error=0x59534249 (local [EBP-60])
    HANDLE file=0x67414141 (local [EBP-84])
    FILETIME ft={dwLowDateTime=0x7ffdf000, dwHighDateTime=0x3a} (local
[EBP-908])
    URL_COMPONENTSA uc={dwStructSize=0x3c, lpszScheme=0x0(nil),
dwSchemeLength=0, nScheme=INTERNET_SCHEME_HTTP, lpszHostName=0x0(nil),
dwHostNameLength=0, nPort=0x50, lpszUserName=0x0(nil), dwUserNameLength=0,
lpszPassword=0x0(nil), dwPasswordLength=0,
lpszUrlPath="/ots/ots/js-3.2/311121/WT34_YlVgAAAIAAAACAAAAAgOISFTcAAACAAAAAgAAAAIDNv11EAAAAgNLJFlkF63euiS_AthR5uVKFQm-fFgTu5AueLOGvXlYLyeSxDQAAAIAAAACAAAAAgAAAAIDeW0M4AAAAgAAAAIAAAACA_pgXxkRkzp4AAACAAAAAgIpJMYkAAACAjj1LuAAAAIAAAACACs8HQPweatMWz1B7qxCj8QAAAICaCbmgAAAAgPXnDHYXLVxiZ1CdBKeYyi0AAACAAAAAgAAAAIAAAACAAAAAgIhIhm4AAACAAAAAgLesOJP0xZK8AAAAgAAAAIBSYgEufY02RClpEpguMDgyAAAAgAAAAIAAAACAFi9Yvc1Jn5bfKYotAAAAgAAAAIDMzdmOuwJdNgAAAIAAAACAAAAAgGt4p68AAACAAAAAgAAAAIAGEuJOAAAAgDT88Qph1iZjAAAAgAAAAIAAAACAwekvMllRApWPMkafAAAAgGlpFwoAAACA2ae0vOA6CMwAAACAAAAAgAAAAIA5Crrj9yQOlAAAAIChdS83Hun-FLZreKpYzh1WAAAAgAAAAIAAAACAAAAAgKNnaMAAAACAAAAAgAAAAIAAAACAAAAAgK6wit6ZbT5YADjM7PZ9HAwAAACAAAAAgAAAAIDSLxBzAAAAgAAAAIAAAACAAAAAgCFr9bLnZZhrsoW9flhoZJOTBp2opVM2jAAAAIAAAACAiib0WXNnZtxbyXH-AAAAgAAAAIAAAACAAAAAgAAAAIB8HVjhAAAAgAAAAIDS7S44JiGQeQAAAICertkUAAAAgAAAAICaHYGrAAAAgAAAAIAAAACALgPnYAAAAIBtVpJNAAAAgJmBep8AAACAAAAAgAQ6EPMAAACAAAAAgAAAAIAAAACAAAAAgAAAAIDGDv_8AAAAgAAAAIAAAACA4mBgxyJZXp7vAmZI2x8Gf65I8BVu9zQkAAAAgAAAAIAAAACAEiqh5pN_e_gAAACAzAlu5",
dwUrlPathLength=0x666, lpszExtraInfo=0x0(nil), dwExtraInfoLength=0} (local
[EBP-968])
    int i=0x76593969 (local [EBP-20])
    char* p=*** invalid address 0x46414341 *** (local [EBP-24])
    char* e=*** invalid address 0x41414149 *** (local [EBP-28])
--- snip --

$ wine --version
wine-1.7.13-100-gfcae016

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list