Microsoft Internet Explorer 11 MSHTML CView::CalculateImageImmunity Use-After-Free

Posted by deepcore on November 3, 2016 – 12:18 am

Setting the listStyleImage property of an Element object causes MSIE 11 to allocate 0x4C bytes for an “image context” structure, which contains a reference to the document object as well as a reference to the same CMarkup object as the document. When the element is removed from the document/document fragment, this image context is freed on the next “draw”. However, the code continues to use the freed context almost immediately after it is freed.

This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.

« Alienvault OSSIM/USM 5.3.1 SQL Injection Mini Notice Board 1.1 Cross Site Scripting »

:: Deepquest ::

This site contains information which could be considered illegal in some countries. It is provided here for educational use only and is not intended to be used for illegal activities.

Microsoft Internet Explorer 11 MSHTML CView::CalculateImageImmunity Use-After-Free

Post a reply

Tabs Switcher

Categories

Archives

Meta

BLOGROLL