An issue exists in how chrome behaves with undefined-handlers in chrome.dll version 0.2.149.27. A crash can result without user interaction. When a user is made to visit a malicious link, which has an undefined handler followed by a 'special' character, the chrome crashes with a Google Chrome message window "Whoa! Google Chrome has crashed. Restart now?". It fails in dealing with the POP EBP instruction when pointed out by the EIP register at 0x01002FF4. - Peter Dawson
Details:
- Type of Issue : Buffer Overflow.
- Affected Software : Google Chrome 0.2.149.27.
- Exploitation Environment : Google Chrome on Windows XP SP2.
- Impact: Remote code execution.
- Rating : Critical. http://security.bkis.vn/Proof-... - Peter Dawson
If a vector variable is stored in a register, gcc writes debug information telling gdb which register the variable is stored in. This mapping is changed between gcc2 & gcc3. Since there isn't anything in the debug output to distinguish code compiled by gcc3 from code compiled by gcc2, there is no way for gdb to know the right map. gdb supports the gcc3 map.
If vector code is compiled by gcc2 as in the case of IOS, then the register assignment will be off by 1. - Peter Dawson
