On Windows 2003, probably other OS, it crashes below: 74809430 add ecx,dword ptr [eax+8] Where EAX is 00000000, which comes out to mean there is nothing at that pointer hence the crash. > -----Original Message----- > From: arachnid__notdot_net@meta.net.nz > [mailto:arachnid__notdot_net@meta.net.nz] > Sent: Thursday, October 02, 2003 10:43 PM > To: bugtraq@securityfocus.com > Subject: New IE crash: CSS + HTML > > > While designing a page today, I stumbled across a combination > of HTML and CSS that causes IE (6.0.2600.0000 on 2k > v5.00.2195 and 6.0.3790 on 2k3 server v5.2.3790 are the only > versions tested so far) to crash with a GPF. After a little > work, I distilled the required code down to this: > > ----------------------------------------- > <html> > <body> > <style type="text/css"> > #three { > position: absolute; > } > #one #two { > position: absolute; > } > </style> > <div id="one"> > In 'one' > <span id="two"> > In 'two' > </div> > <div id="three"> > In 'three' > </div> > </body> > ----------------------------------------- > > A bit of experimentation revealed the following: > The tag with id "one" can be any tag that is 'display: block' > by default. The tag with id "two" can be any tag that is > 'display: inline' by default. The tag with id "three" can be > any tag at all, including non container tags such as img. The > tag with id "two" _must_ be left unclosed. The selector must > be "#one #two", simply selecting on #two does not work. > > I'll be the first to admit that this is a bit obscure (though > I came across it by accident) - it seems to have something to > do with opening an absolutely positioned block tag after an > absolutely positioned inline tag wasn't closed properly, but > is more complicated than that. In windows 2000, it also > crashed explorer when I clicked on the file in in a file > dialog (due to the auto-preview). > > A brief look at a debugger on the crashed IE instance reveals > that the address it crashes at is a RET instruction. > > I leave it up to people with more talent than I to refine > when it occurs and why ;). > > -Nick Johnson >