RE: IE 5.x (5.50.4522.1800 SP1) Crash at gopher://:

["Kayne Ian (Softlab)" <Ian.Kayne () softlab co uk>]

Hey...

IE 5.00.2920.000, Win2k Pro SP1.

This is a bit wierd. I've been following this thread, and tried a few things
myself. Wonder if anyone can explain this behaviour.

- If I use the ftp://: url, it crashes IE only.
- If I use the gopher://: url, it does nothing
  (the usual "The Page Cannot be Displayed")

So I had a play.

I tried test://:, it did nothing. Typing me://: auto-corrected the url to
mk://:, if anyone knows what that is?

So, just for a laugh I typed hello://: which auto-corrected to shell://: 

This did something a little strange. It seemed to go in some kind of loop,
flashed the titlebar a few times (like it was rapidly switching between
applications), open a second window and then immediately close it. This
second window showed up as a second instance of IE. It vanishes pretty
quick, so I can;t get much more info about it.

Now, the wierd thing is this. I've managed to make this happen a few times,
but it seems slightly random. Wonder if anyone else can reproduce this:

1. type shell://: hit return. Normal extra window appears
2. type shell://:; hit return. TWO extra windows appear
3. type shell://:;; hit return. 2 or 3 extra windows appear
4. type shell://: hit return. Explorer comes back with an exception error:

The Exception unknown software exception (0xc00000fd) occurred in the
application at location 0x76c82587

So, I debug in VC6, I get:

A fatal exception occured in shdoclc.dll 76C82587   (sorry for not giving
the exact error). That pans out to this:

76C82587   test        dword ptr [ecx],eax


Now, my asm is hazy (for hazy, read non-existant :) but, this may be of
consequence:

76C82563   cmp         al,0E4h
76C82565   mov         edx,7DBF11CFh
76C8256A   add         byte ptr [edx-11B99700h],ch
76C82570   push        ecx
76C82571   cmp         eax,1000h
76C82576   lea         ecx,[esp+8]
76C8257A   jb          76C82590
76C8257C   sub         ecx,1000h
76C82582   sub         eax,1000h
76C82587   test        dword ptr [ecx],eax
76C82589   cmp         eax,1000h
76C8258E   jae         76C8257C
76C82590   sub         ecx,eax
76C82592   mov         eax,esp
76C82594   test        dword ptr [ecx],eax
76C82596   mov         esp,ecx
76C82598   mov         ecx,dword ptr [eax]
76C8259A   mov         eax,dword ptr [eax+4]
76C8259D   push        eax
76C8259E   ret

When I tried a little variation on the shell://:;; thing, I got this:

Unhandled exception in EXPLORER.EXE (ADVAPI32.DLL): 0xC00000FD: Stack
Overflow.

This is a pretty nasty explorer.exe crash. It dumps me back to a blank
screen, with my apps still running. I can alt-tab to them, but as soon as
they loose focus you can't get them back by clicking on them - it's like
they become part of the background picture, if you get my meaning. Task
Manager - Run - Explorer.exe doesn't bring explorer back. In fact, nothing
short of a reboot seems to fix this. As soon as I close VC debugger, the
machine is as good as dead.

ideas, comments?

Ian Kayne
Technical Specialist - IT Solutions
Softlab Ltd - A BMW Company


> -----Original Message-----
> From: Uidam, T (Tim) [mailto:Tim.Uidam () SYD RABOBANK COM]
> Sent: Wednesday, May 16, 2001 7:04 AM
> To: 'Fernando Merino Levadinha'; VULN-DEV () SECURITYFOCUS COM
> Subject: RE: IE 5.x (5.50.4522.1800 SP1) Crash at gopher://:
>
>
> Didn't crash on mine, just like the FTP one doesn't crash on mine...
> NT4 Workstation, SP5 - IE5.5 SP1 (5.50.4522.1800 SP1)
>
> As i said before, i _suspect_ that this is because i do NOT 
> have the IE
> Browsing enhancements installed... you know the one that 
> displays FTP sites
> like explorer...
>
> -----Original Message-----
> From: Fernando Merino Levadinha [mailto:chuck () bn com br]
> Sent: Wednesday, 16 May 2001 7:42
> To: VULN-DEV () SECURITYFOCUS COM
> Subject: IE 5.x (5.50.4522.1800 SP1) Crash at gopher://:
>
>
> Hi list,
>
> it's seem to be a new bug, i crashed my IE 5.x 
> (5.50.4522.1800 SP1) with
> this URL:
>
> gopher://:
>
> it's like an older BUG in IE 4.x (ftp://:)
>
> regards,
>
> --
>
> Fernando Merino Levadinha
> USJT Network Administrator
> fernando () usjt br - [icq] 7452105
>
> PGP Fingerprint: A752 7473 A351 5D87 045D  3205 0C09 8C2F 4B99 0D20
>
>
>
>
>
> ==================================================================
> De informatie opgenomen in dit bericht kan vertrouwelijk zijn en 
> is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht 
> onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en 
> de afzender direct te informeren door het bericht te retourneren. 
> ==================================================================
> The information contained in this message may be confidential 
> and is intended to be exclusively for the addressee. Should you 
> receive this message unintentionally, please do not use the contents 
> herein and notify the sender immediately by return e-mail.
>
>
> ==================================================================


******************************************************************** 
This email and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom 
they are addressed. 

If you are not the intended recipient or the person responsible for 
delivering to the intended recipient, be advised that you have received 
this email in error and that any use of the information contained within 
this email or attachments is strictly prohibited. 

Internet communications are not secure and Softlab does not accept 
any legal responsibility for the content of this message. Any opinions 
expressed in the email are those of the individual and not necessarily 
those of the Company. 

If you have received this email in error, or if you are concerned with 
the content of this email please notify the IT helpdesk by telephone 
on +44 (0)121 788 5480. 

********************************************************************