https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2014-1773_Internet_Explorer%E5%85%A7%E5%AD%98%E6%90%8D%E5%A3%9E%E6%BC%8F%E6%B4%9ECVE-2014-1773 Internet Explorer內存損壞漏洞 - Revision history2026-04-16T10:38:06ZRevision history for this page on the wikiMediaWiki 1.35.1https://pwnwiki.com/index.php?title=CVE-2014-1773_Internet_Explorer%E5%85%A7%E5%AD%98%E6%90%8D%E5%A3%9E%E6%BC%8F%E6%B4%9E&diff=1072&oldid=prevPwnwiki: Created page with "==INFO== <pre> CClipStack::PushClipRect() Invalid Array Indexing First, starting with the callstack from the crash with pageheap enabled: ChildEBP RetAddr 0919aac8 6b58459f..."2021-04-07T03:20:38Z<p>Created page with "==INFO== <pre> CClipStack::PushClipRect() Invalid Array Indexing First, starting with the callstack from the crash with pageheap enabled: ChildEBP RetAddr 0919aac8 6b58459f..."</p>
<p><b>New page</b></p><div>==INFO==<br />
<pre><br />
CClipStack::PushClipRect() Invalid Array Indexing<br />
<br />
First, starting with the callstack from the crash with pageheap enabled:<br />
<br />
ChildEBP RetAddr <br />
0919aac8 6b58459f MSHTML!CWorldTransform::IsAxisAligned<br />
0919ab40 6ba228e9 MSHTML!CDispSurface::CClipStack::PushClipRect+0x1a2<br />
0919aba4 6be25b58 MSHTML!CDispSurface::PushClipRectInternal+0x2f<br />
0919abc0 6bf1118f MSHTML!CDispSurface::PushClipRectUser+0x26<br />
0919ac24 6bf1157e MSHTML!CCanvasCompositor::ClearRightAndBelowRenderedRegion+0xcd<br />
0919acd8 6b28108c MSHTML!CCanvasCompositor::ExecuteCompositionEffects+0x34d<br />
0919ace0 6b2802f4 MSHTML!CCanvasCompositor::Flush+0x3d<br />
0919ace8 6bf0c867 MSHTML!CCanvasCompositor::~CCanvasCompositor+0x10<br />
0919ae28 6bf0b668 MSHTML!CCanvasRenderingContext2D::StrokeRectInternal+0x1b3<br />
0919ae70 6bf0e032 MSHTML!CCanvasRenderingContext2D::ExecuteStrokeRect+0x1c5<br />
0919aebc 6bd74b6f MSHTML!CCanvasRenderingContext2D::Var_strokeRect+0xac<br />
0919aee0 6ae7056e MSHTML!CFastDOM::CCanvasRenderingContext2D::Trampoline_strokeRect+0x3b<br />
0919af50 6ae6cdda jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x165<br />
0919b328 6ae6dc86 jscript9!Js::InterpreterStackFrame::Process+0x1e74<br />
0919b474 09560fd9 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x1e7<br />
<br />
If we step back one function, this guy sets the object pointer that is used by the crash:<br />
<br />
.text:63CDE575 ; public: long __thiscall CDispSurface::CClipStack::PushClipRect(class CRectF const &, class CWorldTransform const *, bool, bool)<br />
.text:63CDE575 mov edi, edi<br />
.text:63CDE577 push ebp<br />
.text:63CDE578 mov ebp, esp<br />
.text:63CDE57A sub esp, 64h<br />
.text:63CDE57D and [ebp+var_8], 0<br />
.text:63CDE581 mov edx, ecx<br />
.text:63CDE583 push ebx<br />
.text:63CDE584 push esi<br />
.text:63CDE585 mov esi, [ebp+arg_0]<br />
.text:63CDE588 push edi<br />
.text:63CDE589 lea edi, [ebp+var_28]<br />
.text:63CDE58C mov [ebp+var_4], edx<br />
.text:63CDE58F movsd<br />
.text:63CDE590 movsd<br />
.text:63CDE591 movsd<br />
.text:63CDE592 movsd<br />
.text:63CDE593 mov esi, [ebp+arg_4]<br />
.text:63CDE596 test esi, esi<br />
.text:63CDE598 jnz loc_63B1A8DF<br />
.text:63CDE59E<br />
.text:63CDE59E loc_63CDE59E:<br />
.text:63CDE59E imul ecx, [edx+4], 18h<br />
.text:63CDE5A2 xor bl, bl<br />
.text:63CDE5A4 mov eax, [edx+8] <br />
.text:63CDE5A7 add eax, 0FFFFFFE8h<br />
.text:63CDE5AA add eax, ecx<br />
.text:63CDE5AC mov [ebp+arg_0], eax<br />
.text:63CDE5AF mov edi, [eax+14h]<br />
<br />
The outer object, CDispSurface, contains a CClipStack object inside of it. The CClipStack<br />
object starts at offset 0x64 into the CDispSurface object. CClipStack is basically just<br />
a subclass of CImplAry it seems, which is a generic array class that Internet Explorer<br />
uses all over the place for arrays. In the above function, CDispSurface::CClipStack::PushClipRect,<br />
the 'this' pointer is the subobject CClipStack inside of the outer CDispSurface.<br />
<br />
The CClipStack object looks something liek this:<br />
<br />
DWORD dwMaxElems;<br />
DWORD dwCurElems;<br />
VOID *pElems;<br />
<br />
So, looking at the above code, you can guess what is going on. What the above code is doing is<br />
extracting the last element from the CClipStack array. Each element in the array is 0x18 bytes in size,<br />
hence:<br />
<br />
imul ecx, [edx+4], 18h ; dwCurElems * 0x18<br />
mov eax, [edx+8] ;pElems<br />
<br />
But then you can see the following:<br />
<br />
add eax, 0FFFFFFE8h ; subtract 0x18 from pElems<br />
add eax, ecx ; pElems += (dwCurElems * 0x18)<br />
<br />
However, if the array is empty, dwCurElems * 0x18 '==' 0, and so pElems<br />
will actually point BEHIND the start of the array, into the adjacent heap chunk<br />
below it. The array itself contains objects of the type CWorldTransform, which you can<br />
infer from the code that crashes shortly after extract the object from the array. ecx<br />
is the object pointer taken from the 'mov edi, [eax+14h]' operation:<br />
<br />
.text:63B1A940 ; public: bool __thiscall CWorldTransform::IsAxisAligned(void)const<br />
<br />
.text:63B1A940 test dword ptr [ecx+8], 80000000h ;ecx == BAD<br />
<br />
So, where is the array allocated:<br />
<br />
MSHTML!CDispSurface::CClipStack::PushClipRect+0x32:<br />
6b97e5a7 83c0e8 add eax,0FFFFFFE8h<br />
0:013> !heap -p -a eax<br />
address 0c4b0fa0 found in<br />
_DPH_HEAP_ROOT @ 211000<br />
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)<br />
c45123c: c4b0fa0 60 - c4b0000 2000<br />
739f8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229<br />
77a95e7a ntdll!RtlDebugAllocateHeap+0x00000030<br />
77a5a3ba ntdll!RtlpAllocateHeap+0x000000c4<br />
77a25a70 ntdll!RtlAllocateHeap+0x0000023a<br />
6b55c592 MSHTML!CImplAry::EnsureSizeWorker+0x00000061<br />
6b584513 MSHTML!CDispSurface::BeginDraw+0x00000122<br />
6b2847a0 MSHTML!CCanvasRenderingContext2D::BeginDraw+0x00000041<br />
6b286155 MSHTML!CCanvasContextBase::OpenBitmapRenderTarget+0x00000014<br />
6b283b77 MSHTML!CCanvasCompositor::Initialize+0x0000102f<br />
6b285cf7 MSHTML!CCanvasRenderingContext2D::StrokeGeometry+0x00000131<br />
6b285090 MSHTML!CCanvasRenderingContext2D::ExecuteStroke+0x000002c4<br />
6b284dae MSHTML!CFastDOM::CCanvasRenderingContext2D::Trampoline_stroke+0x00000035<br />
6ae7056e jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x00000165<br />
6ae6cdda jscript9!Js::InterpreterStackFrame::Process+0x00001e74<br />
6ae6dc86 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x000001e7<br />
<br />
It is in the 0x60 LFH bin. We can control the chunk behind the array by doing some heap crafting.<br />
But the bad part of that code above is that the calculation for extracting the object used is<br />
this:<br />
<br />
(BYTE *)pArrayStart - 0x18 + 0x14 => (BYTE *)pArrayStart - 0x4<br />
<br />
That results in using the flags/index field of the LFH chunk header as an object pointer.<br />
That's not really good as the bytes in that field are not super controllable (I think).<br />
<br />
<br />
<br />
For seeing how to possibly control that second dword of the LFH header:<br />
<br />
http://illmatics.com/Understanding_the_LFH.pdf<br />
<br />
<br />
Collaboration with Sean Larsson<br />
</pre></div>Pwnwiki