CSS Animations NULL pointers

Fixed Issue #7492534


May 9, 2016
This issue is public.
Found in
  • Microsoft Edge
Found in build #
Fixed in build #
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce


<style>body{animation-name:a}@keyframes a{0%{font:menu

I have multiple slightly different repros that lead to crashes with slightly different stacks, but all these appear to have the same root cause, so I won’t upload them all.

At first glance this may appear to be a security issue, as the code reads from an apparently arbitrary address. However, it turns out the code attempts to use a NULL pointer in a function call that is protected with Control Flow Guard (CFG) mitigations. The CFG code attempts to lookup the function address in a table, but since there is no memory allocated at address 0, no memory is allocated for that part of the table either, causing the access violation. The memory at this address is reserved however, so CFG cannot be bypassed by attempting to allocate memory there under an attackers control.


1 attachment

Comments and activity

  • Microsoft Edge Team

    Changed Assigned To to “Ibrahim O.”

    Changed Assigned To to “Travis L.”

    Changed Assigned To from “Travis L.” to “Joseph S.”

    Changed Status to “Confirmed”

    Changed Status from “Confirmed”

    Changed Assigned To to “Bogdan B.”

    Changed Assigned To to “Rick J.”

    Changed Status to “Confirmed”

    Changed Assigned To from “Rick J.” to “Olga G.”

    Changed Status from “Confirmed” to “In code review”

    Changed Status from “In code review” to “In progress”

    Changed Status from “In progress” to “Fixed”

  • We are showing this as fixed with builds higher than 14374.14374.  Thank you for your feedback.

    All the best,
    The MS Edge Team

You need to sign in to your Microsoft account to add a comment.

Sign in