(This fix and CVE number for this issue are not known)
A specially crafted web-page can cause Microsoft Edge to free memory used for
CAttrArray object. The code continues to use the data in freed memory block
immediately after freeing it. It does not appear that there is enough time
between the free and reuse to exploit this issue.
Microsoft Edge 11.
<x style=" background-image: inherit; text-decoration: line-through; height: 0; width: 0; top: 0; left: 0; right: 0; bottom: 0; font: menu;">
<body id=x style=margin:5 onload=x.
When an element is created and style properties are added, these are stored in
CAttrArray object. A new
CAttrArray is able to store up to 8 properties.
If more properties need to be stored, the code will allocate memory for a
CAttrArray and copy the existing properties into this new object
before freeing the old memory. The code will then continue to use the freed
memory almost immediately. In the first repro, the "font" style property is the
ninth property and triggers this issue. In the second repro, the only property
CAttrArray is removed, at which point it is freed but no new object
is allocated. However, the code follows the same path and also reuses the freed
Below you can find an annotated disassembly for the
function, which calls
CAttrArray:: (in which the memory is freed) before
looping and re-using the memory. This loop shows there is very little time
between the two events in which to reallocate the memory and attempt to control
its contents. There also does not appear to be much this function can be made
to do if the memory could be controlled.