Sunday, 22 June 2014

Microsoft Internet Explorer 11 (11.0.9600.17107) MSHTML!CStr::_Free Crash

Another crash in IE11, maybe someone will find it interesting. It occurs when calling the Developer Tools (F12). After i finished minimizing the test case it turned out to be just one line:


 To reproduce the crash it is required to:
1. enable pageheap
2. open the html file
3. press F12/open Developer Tools
 Also you need the exact build version as in the title (or lower) because this issue was fixed in the last Microsoft Security Bulletin (https://technet.microsoft.com/en-us/library/security/ms14-jun.aspx). I have not really investigated that crash, because i found it the day before patch tuesday, and when it got fixed i moved on.

(b5c.5fc): Access violation - code c0000005 (!!! second chance !!!)
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\SYSTEM32\ntdll.dll -
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\SYSTEM32\MSHTML.dll -
eax=00000000 ebx=00000000 ecx=07d30fdc edx=6bda90b0 esi=07d30fdc edi=0a294fe8
eip=6bc0f36a esp=048b93a0 ebp=048b93bc iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
MSHTML+0x4f36a:
6bc0f36a 8b06            mov     eax,dword ptr [esi]  ds:0023:07d30fdc=00000001
0:005> .symfix
0:005> .reload
Reloading current modules
................................................................
...............
0:005> r
eax=00000000 ebx=00000000 ecx=07d30fdc edx=6bda90b0 esi=07d30fdc edi=0a294fe8
eip=6bc0f36a esp=048b93a0 ebp=048b93bc iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
MSHTML!CStr::_Free+0x5:
6bc0f36a 8b06            mov     eax,dword ptr [esi]  ds:0023:07d30fdc=00000001
0:005> k
ChildEBP RetAddr 
048b93a0 6c222df4 MSHTML!CStr::_Free+0x5
048b93bc 6c50fb52 MSHTML!CListenerDispatch::ConstructCode+0x78
048b9494 6c365616 MSHTML!CDoc::DynamicAttachDebugger+0x350
048ba078 6bd42176 MSHTML!CDoc::ExecHelper+0x623721
048ba098 6eeb93dd MSHTML!CDoc::Exec+0x21
048ba0e8 6eeb9097 DiagnosticsTap!DebugThreadController::IOleCommandTargetExec+0xb9
048ba11c 6eeb8ef0 DiagnosticsTap!DebugThreadController::EnableSourceRundown+0x4e
048ba134 6eec4294 DiagnosticsTap!DebugThreadController::Initialize+0x81
048ba154 6b5479f1 DiagnosticsTap!TapObject::CreateDebuggerController+0x9f
048ba1d0 6b5474a2 F12Tools!BHOSite::LaunchOutOfProcHost+0x205
048ba454 6b546bdc F12Tools!BHOSite::InitializeWindowsAndThreads+0x3bc
048ba480 75e07051 F12Tools!BHOSite::SetSite+0xb0
048ba498 66d226e8 shcore!IUnknown_SetSite+0x2c
048ba4cc 66f424ab IEFRAME!CBandSite::_AddBandByID+0xe5
048ba508 66f2a446 IEFRAME!CBandSite::AddBandWithCLSID+0x3b
048ba550 66f296e5 IEFRAME!CShellBrowser2::_GetInfoBandBS+0x177
048ba5a4 66f2e01d IEFRAME!CShellBrowser2::_EnsureAndNavigateBand+0x8e
048ba5c8 66ddf834 IEFRAME!CShellBrowser2::_ShowHideBrowserBar+0x60
048ba5ec 66e6712d IEFRAME!CShellBrowser2::_SetBrowserBarState+0x1b9
048ba878 66f2f2f0 IEFRAME!CShellBrowser2::Exec+0x23a758
048bbb38 66e654e8 IEFRAME!CShellBrowser2::v_OnCommand+0xc72
048bc390 66c3b164 IEFRAME!CBaseBrowser2::v_WndProc+0x228497
048bc484 66c281f5 IEFRAME!CShellBrowser2::v_WndProc+0x1ae
048bc4a8 779d75b3 IEFRAME!CShellBrowser2::s_WndProc+0x58
048bc4d4 779d77b8 user32!_InternalCallWinProc+0x23
048bc554 779d9744 user32!UserCallWinProcCheckWow+0x110
048bc5b0 779d9894 user32!DispatchClientMessage+0xb5
048bc5d8 77b92cde user32!__fnDWORD+0x2c
048bc608 779ed2a1 ntdll!KiUserCallbackDispatcher+0x2e
048bc60c 66d093e6 user32!NtUserTranslateAccelerator+0xa
048bc62c 66d09383 IEFRAME!CShellBrowser2::TranslateAcceleratorSB+0x34
048bc654 66d09214 IEFRAME!CShellBrowser2::_MayTranslateAccelerator_CCommonBrowser+0xb7
048bc680 66cf6d9f IEFRAME!CShellBrowser2::_MayTranslateAccelerator+0x3b
048bf840 66c8358f IEFRAME!CTabWindow::_TabWindowThreadProc+0x587
048bf8f8 71ec1b7c IEFRAME!LCIETab_ThreadProc+0x31c
048bf908 6eb531cc iertutil!_IsoThreadProc_WrapperToReleaseScope+0xe
048bf934 762b17ad IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x71
048bf940 77b73af4 KERNEL32!BaseThreadInitThunk+0xe
048bf984 77b73acd ntdll!__RtlUserThreadStart+0x20
048bf994 00000000 ntdll!_RtlUserThreadStart+0x1b