Read the original article: Crash Reproduction Series: Microsoft Edge Legacy NULL Pointer Dereference
During yet another Digital Forensics investigation using ZecOps Crash Forensics Platform, we saw a crash of the Legacy (pre-Chromium) Edge browser. The crash was caused by a NULL pointer dereference bug, and we concluded that the root cause was a benign bug of the browser. Nevertheless, we thought that it would be a nice showcase of a crash reproduction.
Here’s the stack trace of the crash:
00007ffa`35f4a172 edgehtml!CMediaElement::IsSafeToUse+0x8
00007ffa`36c78124 edgehtml!TrackHelpers::GetStreamIndex+0x26
00007ffa`36c7121f edgehtml!CSourceBuffer::RemoveAllTracksHelper<CTextTrack,CTextTrackList>+0x98
00007ffa`36880903 edgehtml!CMediaSourceExtension::Var_removeSourceBuffer+0xc3
00007ffa`364e5f95 edgehtml!CFastDOM::CMediaSource::Trampoline_removeSourceBuffer+0x43
00007ffa`3582ea87 edgehtml!CFastDOM::CMediaSource::Profiler_removeSourceBuffer+0x25
00007ffa`359d07b6 Chakra!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x207
00007ffa`35834ab8 Chakra!amd64_CallFunction+0x86
00007ffa`35834d38 Chakra!Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<0> > > >+0x198
00007ffa`35834f99 Chakra!Js::InterpreterStackFrame::OP_ProfiledCallIWithICIndex<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<0> > >+0xb8
00007ffa`3582cd80 Chakra!Js::InterpreterStackFrame::ProcessProfiled+0x149
00007ffa`3582df9f Chakra!Js::InterpreterStackFrame::Process+0xe0
00007ffa`3582cf9e Chakra!Js::InterpreterStackFrame::InterpreterHelper+0x88f
0000016a`bacc1f8a Chakra!Js::InterpreterStackFrame::InterpreterThunk+0x4e
00007ffa`359d07b6 0x0000016a`bacc1f8a
00007ffa`358141ea Chakra!amd64_CallFunction+0x86
00007ffa`35813f0c Chakra!Js::JavascriptFunction::CallRootFunctionInternal+0x2aa
00007ffa`35813e4a Chakra!Js::JavascriptFunction::CallRootFunction+0x7c
00007ffa`35813d29 Chakra!ScriptSite::CallRootFunction+0x6a
00007ffa`35813acb Chakra!ScriptSite::Execute+0x179
00007ffa`362bebed Chakra!ScriptEngineBase::Execute+0x19b
00007ffa`362bde49 edgehtml!CListenerDispatch::InvokeVar+0x41d
00007ffa`362bc6c2 edgehtml!CEventMgr::_InvokeListeners+0xd79
00007ffa`35fdf8f1 edgehtml!CEventMgr::Dispatch+0x922
00007ffa`35fe0089 edgehtml!CEventMgr::DispatchPointerEvent+0x215
00007ffa`35fe04f4 edgehtml!CEventMgr::DispatchClickEvent+0x1d1
00007ffa`36080f10 edgehtml!Tree::ElementNode::Fire_onclick+0x60
00007ffa`36080ca0 edgehtml!Tree::ElementNode::DoClick+0xf0
[…]
Amusingly, the browser crashed in the CMediaElement::IsSafeToUse function.
Read the original article: Crash Reproduction Series: Microsoft Edge Legacy NULL Pointer Dereference