https://bugs.winehq.org/show_bug.cgi?id=34021
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |focht@gmx.net
--- Comment #3 from Anastasius Focht focht@gmx.net --- Hello folks,
confirming.
You don't even need IE8 install for that, just visit 'www.microsoft.com' with builtin.
Looks like a classic buffer overflow to me (overly long jscript URI):
--- snip --- $ wine ~/.wine/drive_c/Program\ Files/Internet\ Explorer/iexplore.exe www.microsoft.com ... 004a:trace:wininet:urlcache_encode_url L"http://ots.optimize.webtrends.com/ots/ots/js-3.2/311121/WT3AAAAgA1FsrAAAACAA..."... ... 004a:trace:wininet:InternetCrackUrlW (L"http://ots.optimize.webtrends.com/ots/ots/js-3.2/311121/WT3AAAAgA1FsrAAAACAA..."... 0 0 0x53cc434) ... 004a:trace:wininet:InternetCrackUrlA "http://ots.optimize.webtrends.com/ots/ots/js-3.2/311121/WT3AAAAgA1FsrAAAACAA..."...: scheme((null)) host((null)) path("/ots/ots/js-3.2/311121/WT3AAAAgA1FsrAAAACAAAAAgOISFTcAAACAAAAAgAAAAIDNv11EAAAAgNLJFlkF63euiS_AthR5uVKFQm-fFgTu5AueLOGvXlYLyeSxDQAAAIAAAACAAAAAgAAAAIDeW0M4AAAAgAAAAIAAAACA_pgXxkRkzp4AAACAAAAAgIpJMYkAAACAjj1LuAAAAIAAAACACs8HQPweatMWz1B7qxCj8QAAAICaCbmgAAAAgPXnDHYXLVxiZ1CdBKeYyi0AAACAAAAAgAAAAIAAAACAAAA"...) extra((null)) 004a:Call ntdll.RtlFreeHeap(00110000,00000000,068c2e40) ret=7e301ff0 004a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0 004a:Call ntdll.RtlFreeHeap(00110000,00000000,00000000) ret=7e301ff0 004a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0 004a:Call ntdll.RtlFreeHeap(00110000,00000000,00000000) ret=7e301ff0 004a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0 004a:Call ntdll.RtlFreeHeap(00110000,00000000,00000000) ret=7e301ff0 004a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0 004a:Call ntdll.RtlFreeHeap(00110000,00000000,00000000) ret=7e301ff0 004a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0 004a:Call ntdll.RtlFreeHeap(00110000,00000000,00000000) ret=7e301ff0 004a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0 004a:Call ntdll.RtlFreeHeap(00110000,00000000,00000000) ret=7e301ff0 004a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0 004a:trace:seh:raise_exception code=c0000005 flags=0 addr=0xf749afc6 ip=f749afc6 tid=004a 004a:trace:seh:raise_exception info[0]=00000000 004a:trace:seh:raise_exception info[1]=754f6d64 004a:trace:seh:raise_exception eax=00000000 ebx=f77b9000 ecx=00000024 edx=754f6d64 esi=f77ac3b5 edi=754f6d64 004a:trace:seh:raise_exception ebp=053cbf58 esp=053cbf24 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00210283 --- snip ---
--- snip --- ... =>0 0x7e31732c urlcache_entry_create+0x1dd(url=*** invalid address 0x754f6d64 ***, ext=*** invalid address 0x4e644a77 ***, full_path=*** invalid address 0x41414167 ***) [/home/focht/projects/wine/wine.repo/src/dlls/wininet/urlcache.c:2661] in wininet (0x0186c4c8) 0x7e31732c urlcache_entry_create+0x1dd [/home/focht/projects/wine/wine.repo/src/dlls/wininet/urlcache.c:2661] in wininet: movb $0x0,0xfffffe88(%ebp,%eax,1) 2661 file_name[e-p] = 0; ... Wine-dbg>info locals
0x7e31732c urlcache_entry_create+0x1dd: (0186c4c8) char* url=*** invalid address 0x754f6d64 *** (parameter [EBP+8]) char* ext=*** invalid address 0x4e644a77 *** (parameter [EBP+12]) WCHAR* full_path=*** invalid address 0x41414167 *** (parameter [EBP+16]) cache_container* container=0x67414141 (local [EBP-116]) urlcache_header* header=0x41414141 (local [EBP-64]) char --none--[260] file_name="??..." (local [EBP-376]) WCHAR --none--[260] extW={ ... } BYTE cache_dir='K' (local [EBP-9]) LONG full_path_len=0x7e332000 (local [EBP-900]) BOOL generate_name=0x6e4a3163 (local [EBP-16]) DWORD error=0x59534249 (local [EBP-60]) HANDLE file=0x67414141 (local [EBP-84]) FILETIME ft={dwLowDateTime=0x7ffdf000, dwHighDateTime=0x3a} (local [EBP-908]) URL_COMPONENTSA uc={dwStructSize=0x3c, lpszScheme=0x0(nil), dwSchemeLength=0, nScheme=INTERNET_SCHEME_HTTP, lpszHostName=0x0(nil), dwHostNameLength=0, nPort=0x50, lpszUserName=0x0(nil), dwUserNameLength=0, lpszPassword=0x0(nil), dwPasswordLength=0, lpszUrlPath="/ots/ots/js-3.2/311121/WT34_YlVgAAAIAAAACAAAAAgOISFTcAAACAAAAAgAAAAIDNv11EAAAAgNLJFlkF63euiS_AthR5uVKFQm-fFgTu5AueLOGvXlYLyeSxDQAAAIAAAACAAAAAgAAAAIDeW0M4AAAAgAAAAIAAAACA_pgXxkRkzp4AAACAAAAAgIpJMYkAAACAjj1LuAAAAIAAAACACs8HQPweatMWz1B7qxCj8QAAAICaCbmgAAAAgPXnDHYXLVxiZ1CdBKeYyi0AAACAAAAAgAAAAIAAAACAAAAAgIhIhm4AAACAAAAAgLesOJP0xZK8AAAAgAAAAIBSYgEufY02RClpEpguMDgyAAAAgAAAAIAAAACAFi9Yvc1Jn5bfKYotAAAAgAAAAIDMzdmOuwJdNgAAAIAAAACAAAAAgGt4p68AAACAAAAAgAAAAIAGEuJOAAAAgDT88Qph1iZjAAAAgAAAAIAAAACAwekvMllRApWPMkafAAAAgGlpFwoAAACA2ae0vOA6CMwAAACAAAAAgAAAAIA5Crrj9yQOlAAAAIChdS83Hun-FLZreKpYzh1WAAAAgAAAAIAAAACAAAAAgKNnaMAAAACAAAAAgAAAAIAAAACAAAAAgK6wit6ZbT5YADjM7PZ9HAwAAACAAAAAgAAAAIDSLxBzAAAAgAAAAIAAAACAAAAAgCFr9bLnZZhrsoW9flhoZJOTBp2opVM2jAAAAIAAAACAiib0WXNnZtxbyXH-AAAAgAAAAIAAAACAAAAAgAAAAIB8HVjhAAAAgAAAAIDS7S44JiGQeQAAAICertkUAAAAgAAAAICaHYGrAAAAgAAAAIAAAACALgPnYAAAAIBtVpJNAAAAgJmBep8AAACAAAAAgAQ6EPMAAACAAAAAgAAAAIAAAACAAAAAgAAAAIDGDv_8AAAAgAAAAIAAAACA4mBgxyJZXp7vAmZI2x8Gf65I8BVu9zQkAAAAgAAAAIAAAACAEiqh5pN_e_gAAACAzAlu5", dwUrlPathLength=0x666, lpszExtraInfo=0x0(nil), dwExtraInfoLength=0} (local [EBP-968]) int i=0x76593969 (local [EBP-20]) char* p=*** invalid address 0x46414341 *** (local [EBP-24]) char* e=*** invalid address 0x41414149 *** (local [EBP-28]) --- snip --
$ wine --version wine-1.7.13-100-gfcae016
Regards