[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: New IE crash: CSS + HTML
- To: <bugtraq@securityfocus.com>
- Subject: RE: New IE crash: CSS + HTML
- From: "Robert Ahnemann" <rahnemann@affinity-mortgage.com>
- Date: Fri, 3 Oct 2003 13:43:34 -0500
Cutting and pasting that into a simple HTML file gets IE to crash as
soon as its opened.
IE version: 6.0.2800.1106
> -----Original Message-----
> From: arachnid__notdot_net@meta.net.nz
> [mailto:arachnid__notdot_net@meta.net.nz]
> Sent: Friday, October 03, 2003 12:43 AM
> To: bugtraq@securityfocus.com
> Subject: New IE crash: CSS + HTML
>
> While designing a page today, I stumbled across a combination of HTML
and
> CSS
> that causes IE (6.0.2600.0000 on 2k v5.00.2195 and 6.0.3790 on 2k3
server
> v5.2.3790 are the only versions tested so far) to crash with a GPF.
After
> a
> little work, I distilled the required code down to this:
>
> -----------------------------------------
> <html>
> <body>
> <style type="text/css">
> #three {
> position: absolute;
> }
> #one #two {
> position: absolute;
> }
> </style>
> <div id="one">
> In 'one'
> <span id="two">
> In 'two'
> </div>
> <div id="three">
> In 'three'
> </div>
> </body>
> -----------------------------------------
>
> A bit of experimentation revealed the following:
> The tag with id "one" can be any tag that is 'display: block' by
default.
> The tag with id "two" can be any tag that is 'display: inline' by
default.
> The tag with id "three" can be any tag at all, including non container
> tags such
> as img.
> The tag with id "two" _must_ be left unclosed.
> The selector must be "#one #two", simply selecting on #two does not
work.
>
> I'll be the first to admit that this is a bit obscure (though I came
> across it
> by accident) - it seems to have something to do with opening an
absolutely
> positioned block tag after an absolutely positioned inline tag wasn't
> closed
> properly, but is more complicated than that.
> In windows 2000, it also crashed explorer when I clicked on the file
in in
> a
> file dialog (due to the auto-preview).
>
> A brief look at a debugger on the crashed IE instance reveals that the
> address
> it crashes at is a RET instruction.
>
> I leave it up to people with more talent than I to refine when it
occurs
> and why ;).
>
> -Nick Johnson