A particular Market place Please using Catherine Lansfield Home bedding

Sprei Murah bedding are generally requisite to a master bedroom to find the best of style along with ease and comfort. The market industry gives a enchanting number of bedding to accommodate each desire along with nice with several charges to slip each finances. Significant famous models of home bedding should be Catherine Lansfield and that is a professional along with respected manufacturer out there.

Supreme alternative
Catherine Lansfield home bedding sometimes appears as being an supreme alternative for the master bedroom to create the idea appropriate however you like along with extravagance. Catherine’s premium quality home bedding is advisable to make the correct atmosphere within the room to unwind throughout. One can possibly experience a massage using Catherine Lansfield home bedding caressing your skin layer jointly sinks upon your bed or maybe rotate all-around to take pleasure from their actual softness along with extravagance.

Catherine’s superb home bedding is just the thing to check preferred duvet cover or maybe bedding to the ideal place design or maybe fashion. Your ex highest regarded good quality home bedding the actual best collection of bed linens to perform bed.

A growing number of ındividuals are picking home bedding by simply Catherine Lansfield on her behalf excellent preference however you like along with layout about bed linens that give ease and comfort, extravagance along with low cost. Just about any sheets and pillowcases item of Catherine Lansfield gives upon an unique atmosphere in the bedroom that is certainly appealing along with exciting for the fine relax knowing.

Possibilities
Bedding by simply Catherine Lansfield appear in numerous types of elements to meet up with different client personal preferences. There is a combed silk cotton home bedding in which exudes actual softness along with ease and comfort while Egyptian sheets and pillowcases by simply Catherine is usually unique along with elegant. Percale along with silk silk cotton sheets and pillowcases by simply Catherine Lansfield kinds superb ways for shoppers who have adore to always be a massage very own bed frames.

Catherine Lansfield bedding come in all types of colorings along with styles to slip anyone. All these highest regarded bedding appear in one, california king or maybe california king styles for you to serve just about any sleep dimensions intended for confident coziness extravagance. House owners perform about setting up a complex master bedroom using any kind of Catherine Lansfield home bedding while using extensive alternatives out there right now.

You can actually mix and match bed ingredients using Catherine Lansfield quilts possibilities which might be elegant and chic with reasonably priced charges. The market industry carries a plethora of quilts stores, manufacturers along with merchants in which hold Catherine Lansfield quilts to generate a straightforward order quickly.

Shoppers could construct the ideal master bedroom efficiently with out specialized assistance with any kind of Catherine Lansfield quilts possibilities.

READ FULL POST

Bed Linens-Storage Tips And Ideas

Sprei Murah being used as you fall asleep. Pillows, pillow cases, bed sheets and blankets are some of the most popular that you will see in the market. In order for you to sleep well at night, you need to have these things in your bed. A bed pillow must properly support your neck and your head. Bed sheets and blankets must cover you to make you feel warm and comfortable. One more thing that you need to remember is that you have to take good care of these bed linens. These can be very expensive. In order to make them last for a long period of time, you may need to store them in the right way. Storing bed linens may sound so simple. You have to realize that there are some tips and factors that you have to consider in order for you to do it right. Take a look at designer bedding.

The linens that you have at home must be cleaned and washed regularly. Some experts say that bed linens must be changed at least once a week in order to prevent fast tearing of the cloth. Wash the bed linens effectively. The first thing that you need to do is to read the instructions of the manufacturer to see special considerations in washing if there is indeed any. Some may specify that you wash it with cold of warm water. See wool blanket now.

DRY IT UP
After you wash the bed linens, you need to dry them up carefully. In drying these bed linens, you have to realize that you can use the lowest temperature of the dryer. Drying the bed linens too fast will cause possible damage on the linens. Set the temperature at its lowest. One more thing that you need to realize is that you have to remove the bed linens while they are still slightly damp. This will ensure that wrinkles will be minimized in the bed sheets.

BAG
A bag may be needed in order for you to effectively store the bed linens. Make sure that the bag is made of materials that are not synthetic. This will keep the linens in a good state. A bag will help in organizing the linens after you have folded it. One thing that you can do is to put labels on each bag. The label will identify what types of bed linens are inside. This will make organizing the linens easier.

LOCATION
It is very important that you will be able to find the right place for the linens that you will store. Choose a location that is dry, free of moisture and dark. This will ensure that while you are not using the bed linens, they are stored in the right place.

In storing bed linens, you may need simple reminders that will surely help you. One thing that you can do is to remember the tips mentioned all the time. These will surely help you on how to do it the best and right way.

READ FULL POST

your five Beauty advice Intended for Teenage Girls: Simple fact Compared to Hype

Many of the famous beauty advice intended for teenage girls are definitely not based upon just about any factico data but rather hearsay transferred from a technology to another one. Generally is it doesn't parents involving teenage girls who have believe they can be required to express splendor tricks making use of their fresh women kids. However most of these supposed beauty advice intended for teenage girls currently being contributed by simply well-meaning mothers and dads are definitely not based upon just about any specifics and in some cases could actually lead to far more injury when compared with fine. On this page you will look into most of these widely used proven beauty advice intended for teenage girls along with show you regardless of whether every single situated delve into simple fact when compared with hype.

Beauty advice Intended for Teenage Girls #1: Simple fact or maybe Hype?

Day-to-day Frizzy hair Scrubbing Intended for Healthy Hair Presently explained to in which to obtain healthy hair it is advisable to comb nice hair powerfully, no less than hundred cerebral vascular accidents on the comb, at least once daily? This kind of splendor hint ended up being normally acknowledged to be real until eventually quite not too long ago. Almost certainly since just about any abnormal scrubbing on the frizzy hair can activate the production of sebum from the top of the head making the hair shopping bright along with balanced. Research show that it sort of excess hair scrubbing not simply makes you enjoy a fatty top of the head ultimately causing slammed frizzy hair tiny holes for you to slow down new hair growth together with motion on the scrubbing on your own could become weak the hair follicles along with increase the probability of frizzy hair the break point. Hence the clever realization is that it is certainly one of people beauty advice intended for teenage girls which will truly lead to far more injury when compared with fine. Conclusion: Hype

Beauty advice Intended for Teenage Girls #2: Simple fact or maybe Hype? Excessive Resting Reasons Varicose Undesireable veins

Have you viewed an individual using black orange undesireable veins working such as a search engine spider website top to bottom their very own lower limbs along with legs? If you are, you then have observed precisely what are referred to as varicose undesireable veins. One of several generally contributed beauty advice intended for teenage girls claims why these bad shopping undesireable veins are caused by resting excessive. In cases like this, we live dealing with a simple fact. Varicose undesireable veins are generally because of weak circulation of blood which will if you will be resting intended for lengthy time frames, plus if however, you always be browsing the location for years. To help you steer clear of varicose undesireable veins it is significant being transferring your whole body along with stretching out to ensure there may be fine circulation of blood in our human body, specially in the lower limbs along with legs. And so steer clear of just about any condition what your location is forced to be seated or maybe symbolize a long time and instead get upwards along with stroll or maybe in the event that ranking, subsequently shift from a destination to yet another to hold in which body going.

Beauty advice Intended for Teenage Girls #3: Simple fact or maybe Hype? Lean Nice hair Helps it be Expand More rapidly

Of the beauty advice intended for teenage girls which we will likely examine, this is just about the most popular. Many girls can believe this kind of can work. Regretfully you could have trim nice hair intended for practically nothing, since this doesn't work which is for that reason hype. Typical frizzy hair merely expands within a common of 1 fifty percent a inches each and every month using extra expansion going on merely in the warm weather. Shaping nice hair will not likely transform this kind of expansion circuit on the frizzy hair along with force it to expand just about any more rapidly. The truth is the hair shaping has been performing just the contrary, while after trimmed, as an alternative to finding the much longer frizzy hair you will be in search of the truth is at this point you get quicker frizzy hair!

Beauty advice Intended for Teenage Girls #4: Simple fact or maybe Hype? Tooth paste Can be an Pimple Get rid of

For anyone who is similar to a lot of teenage girls along with find it difficult to manage skin pimple, your own personal parent or guardian or maybe another individual could possibly have proposed the application of tooth paste as being an pimple get rid of on your confront. Not simply is niagra an imagined splendor hint intended for teenage girls, nevertheless is certainly one splendor hint which may help your pimple difficulty even more difficult. Truth be told in which tooth paste can not support get rid of your own personal skin pimple difficulty in case it is not a rotten thing to do, the harmful chemicals inside the tooth paste could actually encourage more pimple and in some cases possibly bring about scare tissue. And so yet again, stay away from the using tooth paste along with seek out specialized tips coming from a skin specialist by what tools are safe and effective to work with on your pimple difficulty. All things considered, its referred to as tooth paste for the explanation!

Beauty advice Intended for Teenage Girls #5: Simple fact or maybe Hype? A terrific Brown Compatible Wonderful Well being

For quite a while both equally grownups along with teenage years assumed in which developing a wonderful suntan built you look balanced. Regretfully you can still find a lot of people who have consider this kind of and in many cases merchandise currently being sold that could try and mislead anyone straight into thinking that abnormal getting brownish naturally is wonderful for anyone. The truth is there may be a great deal of study in which testifies undeniably how the thought of developing a suntan appearing fitter is usually bogus. Targeted direct sun light coverage generally contributes to skin area types of cancer, several of that can be critical on the unwilling recipient. Not too long ago possibly getting brownish naturally bed frames are actually shown to encourage skin area types of cancer in most people and an evergrowing open public require limits about who is able to pay a visit to direct sun light getting brownish naturally hair salons and spas, a lot like damaging someone buy involving liquor. Naturally many of us want to get exterior, specially with a sizzling bright moment. No person says that you may never get exterior or maybe proceed to the beachfront with a sizzling moment. Quite you must be considerably more mindful at this point than previously due to glaring sun's rays. Implement protection from the sun creams and gels before going exterior in case you'd like to shell out a lengthy time frame in the sun, subsequently employ no less than direct sun light monitor which has a SPF status involving 30th. Be sure and don some sort of do not lik in order to avoid some sort of direct sun light burn up on your own top of the head along with put on mild garments to help you secure hypersensitive limbs for instance your own personal arms and legs if the gel don off of. The majority of anyone scanning this might discover that it is among the most tough one of several beauty advice intended for teenage girls to receive considering that many of us have also been pass through a great number of adverts in recent times sharing with us all precisely how interesting shopping some sort of direct sun light brown could make you look on the contrary sexual.

Hopefully why these beauty advice intended for teenage girls mentioned on this page will assist you to health and well being and prevent many of the problems linked to blindly trusting issues that are just untrue if we examine tips on how to always be lovely.

 Go to the Beauty Tips for further detail about Beauty

READ FULL POST

Nurturing Lavish Base Linens-Obvious Strategies

Having Bed Linen Robustness plus Excellent
1. Please take a few strokes to learn to read the exact care and attention tags plus adhere to the information in the bedsheets programs in advance of washing your individual bed and bath. Totally obvious, it could seem, however when is the past occasion you undoubtedly would the following? Care and attention tags often deliver pretty unique instructions pertaining to repairing your bedsheets, depending on the garment form, place matter, products, vendor and colours from your bed linen. Washing information undertake are different the other volume will never really fit in most of.

1. Understand your individual rinse off product functions. For a second time, you cannot assume all rinse off units are produced alike. There will probably be many field unique designs used in the location solutions. If you are not experienced with washing laundry designs and don't learn what the exact designs signify do some research to understand to avoid great priced problems. Not doing this could result in your individual misinterpretation of your information and at last towards mess up from your high class bed and bath. Realizing the way to touch your individual bed and bath during the product may help avert shrinking and the very first excellent from your bed sheets.

1. Considering i will be continually hence chaotic most people be likely speedy perfect the cleaning up practice and as a result overstuff the exact rinse off product to make it through accomplishing this much faster. Due to this fact, most people generate pretty terrible conclusions by way of reasoning that it may not seriously make any difference plainly merge the exact pigmented bed and bath along with the white cloths, or simply plainly material requisite article during the product, it may possibly tackle them. You should never surcharge the exact units. Destruction can be two-fold. 1) Should the bed and bath doesn't have a adequate room to relocate during the product, the following stops the exact cleaning up practice, by way of compacting in addition dirt and grime that have been eradicated within the cleaning up practice which wanted to towards bed and bath, thus spoiling them plus 2) Addung the cutter leaves even more stress and anxiety in the product while it would need to operate trickier to make it through the exact pattern.

1. Preserving your individual financial commitment as part of your excellent bed linen as well will depend on considerably in the variety of washing laundry washing liquid you choose. Quite a few liquids possess nasty cleaning up products that might problems your individual lavish bed and bath by way of evoking the colorations that will lose color. This really is held back boost not one but two stages. 1) Apply even more light liquids plus 2) You should never apply an excess of washing liquid. Though aren't like looking at the exact sodding within the rinse off methods, we will execute the exact same volume of personal hygiene with bed linens by way of reducing our the level of washing laundry washing liquid within the basketfull by way of although 50 % what the heck is ordinarily utilised.

1. Why not consider the exact seasoning practice? It's not at all recommended to in excess of waterless your individual excellent bed and bath. Our team does overdry your bed and bath since most people like the comfort as well as pleasing odor of your garment softener after we clear away your bed and bath with the hair dryer. In excess of seasoning can be bad for the exact reliability of your high class bed sheets (and as well induce ) by way of evoking the colorations that will lose color. How can we find out august 2010 SO to locate the bed and bath with the hair dryer? An uncomplicated rule helps defend your individual financial commitment. Obtaining bed linen with the hair dryer when however marginally soggy is all to consider to undertake bring about. Use never always keep bed and bath during the hair dryer pertaining to for a longer time as compared with vital. Through the manner in which, or even thought to be seasoning your individual bed and bath during the pure daylight within the exciting many months? Very few factors stench as good as the exact pure scented with sundried washed bed and bath.

It is actually frequently recognised great excellent bed linen might help excellent plus assortment snooze that many of us have. The fact is that, we sometimes you should never give more than enough in order to the ideal care and attention of your lavish bed linen the truly saved. Due to this fact, we sometimes unsuspectingly tighten the relationship plus excellent your excellent bed linen. Check out these strategies so when people take good care of your individual high class bed and bath. As well, look at the care and attention tags and pay attention to if perhaps most of around people had missed a major primary your individual bed and bath care and attention practice. Inform us if perhaps most of these uncomplicated nonetheless necessary guidelines were definitely a close watch operator available for you.

"Jual Sprei Murah & Grosir Sprei Murah"

READ FULL POST

Entering into Out of Memory Condition

In this blog post I'm describing an approach to force the execution flow to enter into out of memory (OOM) error conditions when the amount of memory to allocate is not controlled by the attacker as in the example below.

#define MAX_SIZE 0x08000000 /* 128M */

ptr = malloc(MAX_SIZE)
if (ptr == NULL)
{
  return OUT_OF_MEMORY;
}

When testing software, it's reasonable to think that error conditions like above are unlikely to be reached as often as other error conditions. Some of them may never get reached because it's not obvious to make the allocation with fixed-size to fail.

OOM error condition could be a potential to enter into vulnerable code path. One example I've heard that the memory allocation had failed and the error condition led to call the cleanup functionality which caused to free of uninitialized pointer.

When testing, one possible way to make memory allocation to fail is to hook the memory allocation function and change the functionality to fail, that is to return with NULL pointer. However, I wanted to avoid this approach of testing because even if I find bug I'd still need a lot of work to reproduce it in real word scenario (if possible at all), when the hook is not applied.

Therefore, what I thought is that the other way to force fixed-size memory allocation to fail is to consume large amount of memory of the virtual address space, and as a consequence the program will be operating under low-memory conditions. This means if memory allocation occurs with reasonable small size it could fail because there is not much memory available. My theory is that any vulnerability found that we reach via OOM error conditions can be reproduced in a real word scenario because we always expect to find something that triggers to consume large amount memory in order to make other allocation to fail. This is pretty much possible in browsers where basically you can easily fill arbitrary amount of the heap memory.

Experimentally, I involved this approach in my fuzzing methodology. I attach the target process to Windbg and execute .dvalloc command to allocate arbitrary amount of memory in the virtual address space. The amount of memory available in the address space can be queried with !address -summary command, or can be seen in Process Explorer, and so you can allocate more for your test if needed.

When testing Firefox with this methodology I notice increased amount of int 3 crashes in mozalloc_abort() that is due to out of memory condition - those crashes are not exploitable though.

READ FULL POST

Browsers Could Enable to Plant Malware

Today, Opera released a patch which attempts to address one of the issue I reported them in February, 2013.

The most likely attack is that a remote attacker may trick a user to visit a specially crafted web page; and to perform undisclosed operation (social engineering). As a result, a malicious executable file may be planted on the user's computer.

Either social engineering or a second bug is required to plant malware, so it's reasonable to assign moderate severity to the issue.

Another, probably less likely attack vector includes that an attacker has physical access to the machine. When the file downloads are blocked by security policy it may be easily possible for the attacker to bypass it and plant malware. This is a risk, specially in a corporate environment.

Firefox (Bug 845880), Chrome (Issue 177980), and Safari (Follow-up: 260250675) are affected.

Internet Explorer 10 is not affected. I concluded they recognized this issue internally and implemented defense.

I haven't verified Opera's patch yet.

Technical description scheduled to be posted later this year.

READ FULL POST

Getaway Time period Need to Indicate Special times

Generally holiday time turns into a quite demanding efforts almost all individuals existence. A large number of00 working around store shopping and now we no longer possibly prevent to appreciate the truth this means on the Getaway. Earnings season might be considerably more when compared with if many of us allow it. Whenever we only gradual typically the tempo somewhat along with make time to help it become far more substantial it might and is likely. Trips can be a quite affectionate a moment a superb probability to reconcile with your young families along with family and friends.

Undertaking very little issues to the getaway in which cause a number of time intended for romantic endeavors could be the most suitable choice. As an alternative to troubled out and about along with having to worry with regards to getting the correct reward on your wife or husband to the getaway, seek out methods you can create the perfect time to expend special times along with reconcile a bit.

You may traditional bank on the truth how the trips start up melancolia for all those, along with employ this being a the perfect time to reminisce to your trips prior jointly along with ahead of little ones. Examine photographs via recently, or maybe take steps on your wife or husband to leave these people be aware that anyone recall something ended up being particular of their the child years or maybe coming from a identical getaway you both put in jointly.

Really real that particular of the extremely significant things you can accomplish being a several is usually to appearance back and reminisce with regards to each of our record jointly. This kind of opens the door for you to affectionate sensations on the prior helping to us all view eachother in the brand-new gentle, or it could be in the outdated oone.

Holiday time could be the best the perfect time to locate a enjoy which might be missing or maybe missing out on yet again. This can be a great time period rich in loved reminiscences for you to recapture. You will see that your particular troubles virtually fade away invest the the time to restart precisely what can be missing out on.

 If you want to know more about Holiday Trip, you can read more articles at Beach Resort.

READ FULL POST

Out of Memory Issues in Internet Explorer 9

Recently, I was examining how Internet Explorer 9 performs under low-memory conditions.

The test involves to consume large amount of memory in the virtual address space of the renderer process. In this circumstance the execution flow can proceed on error condition of the memory allocation call, and so we can test how the application behaves when the memory allocation fails.

I used the following Windbg script as a template to exhaust the memory of the renderer process. I run the tests with between 16M and few hundred megabytes of free memory in the virtual address space.

$$ Exhausts the memory in the virtual address space. The memory is considered
$$ to be exhausted when an allocation with 16M fails.
$$
$$ Example Usage: $$>< e:/exhaust.wds
$$
$$ Last Updated: 10/February/2013
r $t0 = 0x40000000;
.while (@$t0 >= 0x100000)
{
   r $t1 = 0;
   .echo
   .echo "Size     Address";
   .echo "-----------------";
   .while (@$t1 == 0) {
     r $t1 = 1;
     .catch {.foreach /pS 5 (Address {.dvalloc /r @$t0}) { .printf "%08x %08x\n", @$t0, Address;}; r $t1 = 0;}
   }
   r $t0 = @$t0 / 2;
}

I opened local HTML/SVG files that were legitimate rather than fuzzed, and visited random websites under low-memory conditions. During my experiment, I observed many access violations because of the failed memory allocations. Even though most of them are harmless ones (NULL pointer crashes) some ends up to read data from invalid memory addresses that are not NULL.

Out of memory problem could be a security risk, and this is an attack surface in Internet Explorer. A mitigation to handle this issue would be to implement the following wrapper around the function that allocates the memory. If the allocation fails the renderer process stops with int 3 exception, so we avoid enter to any potential vulnerable code path.

As a reference, here are some stack traces of NULL pointer crashes.

eax=16acc320 ebx=16acc320 ecx=7765e38c edx=00629d08 esi=00000000 edi=16acc324
eip=678b34c5 esp=04ac6854 ebp=04ac6858 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210246
MSHTML!TSmartResource<CD2DDCTraits>::Acquire<ID2D1RenderTarget *,enum D2D1_DC_INITIALIZE_MODE,bool>+0x15:
678b34c5 8b06            mov     eax,dword ptr [esi]  ds:002b:00000000=????????
0:005> kb
ChildEBP RetAddr  Args to Child              
04ac6858 678b45bd 00000000 00000000 16dd9af0 MSHTML!TSmartResource<CD2DDCTraits>::Acquire<ID2D1RenderTarget *,enum D2D1_DC_INITIALIZE_MODE,bool>+0x15
04ac686c 678b4498 00000000 04ac689c 00000000 MSHTML!RefCounted<CD2DDCHolder,SingleThreadedRefCount>::Create<IDCHolder,ID2D1RenderTarget *>+0x5a
04ac68e8 678b3f9f 04acd308 04acd404 04ac69e0 MSHTML!CGDIRenderMode::OnBegin+0x37
04ac6914 678b416d 1125d810 04ac69e0 04acd404 MSHTML!CDXRenderTarget::GetDC+0x1e0
04ac6940 678b41ca 04ac6978 04ac69e0 16e55668 MSHTML!TSmartResource<CDispSurfaceDCMode>::Acquire<CDispSurface *,CRect const *>+0x6c
04ac6a68 67ac98b9 04acd268 04ac6c58 04ac6c18 MSHTML!COleLayout::Draw+0xd6f
04ac6a94 67ac9663 04ac6c58 04ac6c18 04acd308 MSHTML!CLayout::DrawClient+0xaa
04ac6d6c 67ac78e9 04acae4c 00000000 00000007 MSHTML!CDispLeafNode::DrawSelf+0x56c
04ac6e84 67ac82d0 169fe050 00000000 00000007 MSHTML!CDispNode::Draw+0x2c8
04ac6ea8 67ad9c5e 00000000 04ac6f74 04acae4c MSHTML!CDispContainer::DrawChildren+0xe4
04ac6f48 67ad9d15 1188efb8 04acae4c 04ac6f74 MSHTML!CDispContainer::DrawContentAdvanced+0x25c
04ac718c 67ac78e9 04acae4c 00000000 00000007 MSHTML!CDispContainer::DrawSelf+0x49b
04ac72a4 67adcb19 1188efb8 00000000 00000007 MSHTML!CDispNode::Draw+0x2c8
04ac72c8 67a82102 0ec815ec 1188efb8 04ac73c8 MSHTML!CDispNode::DrawContainerChild+0xd4
04ac7340 67a80e8b 0ec815a0 00000001 00000003 MSHTML!HtmlLayout::LineBoxBuilder::LsInlineBlockDisplay+0x71
04ac7358 67a801ca 1682e1f0 04ac73a0 0ec815a0 MSHTML!Ptls5::LsUpdateBreakRecordText+0xe4
04ac73d0 67adc0f8 112b8118 04ac7454 00000000 MSHTML!Ptls5::LsDisplayLine+0x19b
04ac747c 67adbf96 11576038 16a20920 1188ef60 MSHTML!HtmlLayout::LineBox::Draw+0x127
04ac75fc 67adbcb6 16a20920 04ac7698 00000000 MSHTML!HtmlLayout::FlowBox::DrawFlowItems+0x417
04ac76d0 67adba8d 04ac77b4 04ac77c4 04acd308 MSHTML!HtmlLayout::FlowBox::DrawClientContainerContent+0x1f7


eax=00000000 ebx=0767dc08 ecx=00000000 edx=67b36c31 esi=00000001 edi=0767dc08
eip=67b50f2c esp=043fd05c ebp=043fd070 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
MSHTML!CElement::AddRefCDocument:
67b50f2c 8b8130010000    mov     eax,dword ptr [ecx+130h] ds:002b:00000130=????????
0:005> kb
ChildEBP RetAddr  Args to Child              
043fd058 67b7ce5d 00000001 0767dc08 0972de00 MSHTML!CElement::AddRefCDocument
043fd070 67b7faa9 0767dc08 0e90b258 0e5f5d00 MSHTML!CElement::PrivateExitTree+0xfa
043fd0dc 67b7d897 0e90b258 00000001 00000001 MSHTML!CMarkup::DestroySplayTree+0x1fd
043fd150 67b87d82 00000000 00000001 0e5f5c20 MSHTML!CMarkup::UnloadContents+0x4bb
043fd170 67b94f28 0e90b258 00000001 00000000 MSHTML!CMarkup::TearDownMarkupHelper+0x4c
043fd198 67b96c2f 00000001 00000000 00000000 MSHTML!CMarkup::TearDownMarkup+0x71
043fd1c8 67b97190 0e5f5c20 00000000 0e5f5c20 MSHTML!CDoc::UnloadContents+0x5ee
043fd1e4 67b2adb8 0af3d9f8 0af3d9f8 043fd21c MSHTML!CDoc::Passivate+0x158
043fd1f4 67b59914 0e5f5c20 6783edfd 00000000 MSHTML!CBase::PrivateRelease+0x33
043fd1fc 6783edfd 00000000 0af3d9f8 00000000 MSHTML!TSmartPointer<IDispBrush>::Release+0x14
043fd20c 67b2adb8 008f8d10 00000000 043fd230 MSHTML!COleSite::Passivate+0x9f
043fd21c 67b2ac22 0af3d9f8 008f8d10 008ff680 MSHTML!CBase::PrivateRelease+0x33
043fd230 67b2acfe 0af3d9f8 043fd2b0 67bc5bdb MSHTML!CElement::PrivateRelease+0x40
043fd23c 67bc5bdb 0af3d9f8 008fecc8 67adfe91 MSHTML!CXDomainRequest::Release+0x10
043fd248 67adfe91 0e5ff8d0 008bc5a8 02000000 MSHTML!CMultimediaLog::Reset+0x28
043fd2b0 67ae017b 0e5ff8d0 00000000 00000001 MSHTML!COmWindowProxy::SwitchMarkup+0xadf
043fd338 679f4971 0e5ff8d0 00000000 0e5ff8d0 MSHTML!CMarkup::SetInteractiveInternal+0x183
043fd36c 67a04c0f 00000001 00000000 0e5ff8d0 MSHTML!CMarkup::RequestReadystateInteractive+0x152
043fd398 679eeaa7 008dd2c0 0aebcf70 0556e892 MSHTML!CMarkup::BlockScriptExecutionHelper+0x184
043fd4a4 679b7cf8 0556e892 008dd2c0 0aebcf70 MSHTML!CHtmPost::Exec+0x4b1


eax=00000000 ebx=00000000 ecx=07f4b8d4 edx=04b695fc esi=08564494 edi=00000000
eip=6789db2b esp=04b695ac ebp=04b695dc iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
MSHTML!CDXImageSoftware::CreateSharedBitmap+0xb4:
6789db2b 8b08            mov     ecx,dword ptr [eax]  ds:002b:00000000=????????
0:004> kb
ChildEBP RetAddr  Args to Child              
04b695dc 6789d969 00000000 081efac4 04b695fc MSHTML!CDXImageSoftware::CreateSharedBitmap+0xb4
04b69610 67ace39f 745b8fc0 081efac4 00000000 MSHTML!CDXImageSoftware::PrepareToRenderImpl+0x82
04b69644 67e7c992 08564480 745b8fc0 00000000 MSHTML!CDXImage::PrepareToRender+0x7c
04b696e0 67c0c4cf 745b8fc0 04b69878 04b6973c MSHTML!CSATBlurRenderer::CreateBlurredTarget+0x33b
04b69774 677faef8 745b8fc0 04b69954 40000000 MSHTML!CDXRenderTarget::Gaussian+0x1bf
04b699b8 677fa4d6 04b69a9c 04b69bd0 00000000 MSHTML!CDispSurface::RenderShadows+0xcc0
04b69cac 67adb82f 6a5a4220 04b69d28 081fbca0 MSHTML!HtmlLayout::ContainerBox::PositionAndDrawBackground+0x1170
04b69d58 67adb6b2 081f1d18 04b6d8d8 081fbca0 MSHTML!HtmlLayout::ContainerBox::DrawBackgrounds+0x210
04b69d88 67aca06f 04b69f6c 04b69e7c 04b6d978 MSHTML!HtmlLayout::ContainerBox::DrawClientBackground+0x6f
04b69e94 67ac9f07 04b6b4bc 00000000 04b6b4bc MSHTML!CDispNode::DrawBackground+0x1c0
04b6a0cc 67ac78e9 04b6b4bc 00000000 00000007 MSHTML!CDispContainer::DrawSelf+0x2b0
04b6a1e4 67ac82d0 081fbca0 00000000 00000007 MSHTML!CDispNode::Draw+0x2c8
04b6a208 67ad9c5e 00000000 04b6a2d4 04b6b4bc MSHTML!CDispContainer::DrawChildren+0xe4
04b6a2a8 67ad9d15 07c69e18 04b6b4bc 04b6a2d4 MSHTML!CDispContainer::DrawContentAdvanced+0x25c
04b6a4ec 67ac78e9 04b6b4bc 00000000 00000007 MSHTML!CDispContainer::DrawSelf+0x49b
04b6a604 678d0958 07c69e18 00000000 00000007 MSHTML!CDispNode::Draw+0x2c8
04b6a64c 67ac78e9 04b6b4bc 00000000 00000007 MSHTML!CDispProxyNode::DrawSelf+0x11d
04b6a764 67ac82d0 0849b398 00000000 00000007 MSHTML!CDispNode::Draw+0x2c8
04b6a788 678d0896 04b6d978 04b6a854 04b6b4bc MSHTML!CDispContainer::DrawChildren+0xe4
04b6a828 67ad9d15 745b8da8 04b6b4bc 04b6a854 MSHTML!CDispContainer::DrawContentAdvanced+0x28d


eax=0684a9a0 ebx=00000000 ecx=727937c0 edx=0000025b esi=73de91e8 edi=00000001
eip=6682bbbb esp=0440d190 ebp=0440d1a0 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
jscript9!Js::JavascriptOperators::OP_GetInstanceScoped+0x2a:
6682bbbb 8b4304          mov     eax,dword ptr [ebx+4] ds:002b:00000004=????????
0:005> kb
ChildEBP RetAddr  Args to Child              
0440d1a0 09ed0071 00000003 0000025b 5ce84740 jscript9!Js::JavascriptOperators::OP_GetInstanceScoped+0x2a
WARNING: Frame IP not in any known module. Following frames may be wrong.
0440d1c8 668085fe 725d5980 00000002 02f5bcf0 0x9ed0071
0440d204 66808523 725d5980 6680cb68 00000002 jscript9!Js::JavascriptFunction::CallFunction+0xc4
0440d268 6680845a 0a244dc8 00000002 0440d360 jscript9!Js::JavascriptFunction::CallRootFunction+0xb6
0440d2a4 668083e6 00000000 0440d2d4 00000002 jscript9!ScriptSite::CallRootFunction+0x4f
0440d2cc 6687e0d7 725d5980 0440d2fc 00000000 jscript9!ScriptSite::Execute+0x63
0440d330 67a824a9 0a23606c 725d5980 00000002 jscript9!ScriptEngine::Execute+0x11a
0440d3b4 67a823d3 725d5980 094bfae8 63beed58 MSHTML!CListenerDispatch::InvokeVar+0x12a
0440d3d4 678ead1f 094bfae8 0440d438 0440d498 MSHTML!CListenerDispatch::Invoke+0x40
0440d5a4 67b6bbfc 094bfae8 728f5120 00000000 MSHTML!CEventMgr::Dispatch+0x537
0440d5cc 68073e2c 728f5120 7ec86aa0 ffffffff MSHTML!CEventMgr::DispatchEvent+0xc9
0440d5e0 68079c98 6a40df58 adc49da3 00000096 MSHTML!CSVGElement::Fire_SVGLoad+0x37
0440d5f8 680760bd 0440d620 67b77389 728f5120 MSHTML!CSVGSVGElement::Fire_SVGLoad+0x53
0440d600 67b77389 728f5120 00000000 00008003 MSHTML!CSVGElement::Fire_SVGLoad_Async_Handler+0x10
0440d620 67b77406 748dbf58 00000001 90fa7997 MSHTML!CAsyncEventQueue::DispatchAllEvents+0x7c
0440d670 74fb62fa 00700e80 00000aae 748dbf58 MSHTML!GlobalWndProc+0x2ed
0440d69c 74fb6d3a 67b145ee 00700e80 00008003 USER32!InternalCallWinProc+0x23
0440d714 74fb77c4 00000000 67b145ee 00700e80 USER32!UserCallWinProcCheckWow+0x109
0440d774 74fb788a 67b145ee 00000000 0440f8a8 USER32!DispatchMessageWorker+0x3bc
0440d784 6b8a205c 0440d7cc 001f6db0 001f6dcc USER32!DispatchMessageW+0xf


eax=04666084 ebx=0bd43ae8 ecx=04666060 edx=0466067f esi=00000000 edi=0bd43b48
eip=6908145b esp=04666078 ebp=046661ec iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
MSHTML!CSVGEmbeddedComponent::CreateDisplayTreeForEmbeddedContent+0x79:
6908145b 8b06            mov     eax,dword ptr [esi]  ds:002b:00000000=????????
0:005> kb
ChildEBP RetAddr  Args to Child              
046661ec 69081acc 0bd43ae8 0bd43ae8 0bd43aec MSHTML!CSVGEmbeddedComponent::CreateDisplayTreeForEmbeddedContent+0x79
04666208 68e5dda5 01d43ae8 0c2c0068 00000001 MSHTML!CSVGEmbeddedComponent::EnsureLayoutForEmbeddedComponent+0xf7
04666260 690b59c3 0b010600 04669bd8 046662b4 MSHTML!CImgHelper::DrawSVGImage+0x29f
046662d8 68ffe222 04669bd8 0466630c 12d406e8 MSHTML!CSVGImageBlock::Draw+0x1a8
0466631c 68ad6f4e 04666354 6901ae94 046663dc MSHTML!HtmlLayout::SvgPrimitiveBox::DrawClient+0x117
04666380 770f26a4 00000000 04669bd8 046677bc MSHTML!CDispDrawContext::GetRedrawRegionBounds+0x7b
04666498 770f256f 0edcc0a8 00000090 04669ce4 ntdll!RtlpReAllocateHeap+0x190
0466650c 68ad6f4e 00570000 00000000 0edcc0a8 ntdll!RtlReAllocateHeap+0x2c5
04666548 68ad8db1 046677bc 04669ce4 00000000 MSHTML!CDispDrawContext::GetRedrawRegionBounds+0x7b
046677bc 00000000 00000000 00000000 04667804 MSHTML!CDispSurface::CClipStack::PushClipRect+0x181


eax=00000024 ebx=00005867 ecx=00000009 edx=00000016 esi=0435d008 edi=00000000
eip=68ffaa2c esp=0435cf98 ebp=0435d18c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
MSHTML!HtmlLayout::SvgTextBoxBuilder::CalculateGlyphWidths+0xaf:
68ffaa2c f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:005> kb
ChildEBP RetAddr  Args to Child              
0435d18c 68ffa7cc 08fab420 0435d1d0 61b9c288 MSHTML!HtmlLayout::SvgTextBoxBuilder::CalculateGlyphWidths+0xaf
0435d1d8 68ff8684 00fab420 6adadd40 0435d478 MSHTML!HtmlLayout::SvgTextBoxBuilder::UpdateVisibleRectangle+0x7f
0435d280 68ff8150 08fab420 0435d478 08fab420 MSHTML!HtmlLayout::SvgTextBoxBuilder::BuildLine+0x4d2
0435d2a8 68a36a8d 0d01ff24 0435d478 0d01ff18 MSHTML!HtmlLayout::SvgTextBoxBuilder::MoveToNextPosition+0xb5
0435d2d4 68a33951 08fab420 0435d478 0d01ff18 MSHTML!HtmlLayout::LayoutBuilder::EnterBlock+0xca
0435d2f0 68a359e4 0435d420 0435d464 00000000 MSHTML!HtmlLayout::LayoutBuilder::Move+0x48
0435d3c0 68a319af 0ad93c90 00000000 0ad93c90 MSHTML!HtmlLayout::LayoutBuilderDriver::StartPartialLayout+0x2d1
0435d4a0 68a2ffcc 0c10ddb8 00000000 00000032 MSHTML!HtmlLayout::CIE9Page::LayoutPage+0x27c
0435d4cc 68a2c3a7 00000000 0c10ddb8 08fa0c90 MSHTML!HtmlLayout::CIE9DocumentLayout::FormatPage+0x65
0435d524 68a272fe 0c8dff24 00000000 08fa0c90 MSHTML!CCssDocumentLayout::FindOrFormatPage+0x272
0435d590 68a2deff 0ad93c90 0c8dff24 00000032 MSHTML!CCssDocumentLayout::GetPage+0x95b
0435d638 68a2dd12 0c8dff20 0435d654 0435d6c8 MSHTML!CMarkupPageLayout::CalcSize+0x28c
0435d6b0 68a2fa31 00100000 0435d6c8 0c8dff34 MSHTML!CMarkupPageLayout::CalcTopLayoutSize+0x101
0435d6d4 68c9b1d1 00100000 00002000 00000000 MSHTML!CMarkupPageLayout::DoLayout+0x56
0435d710 68a16b35 0c602e1c 00100000 00000000 MSHTML!CView::ExecuteLayoutTasks+0x3b
0435d77c 68a3856b 00000000 004d4f80 004d4fb4 MSHTML!CView::EnsureView+0x3bf
0435d7a4 68b49ef9 0c602e1c 00000000 00000000 MSHTML!CView::EnsureViewCallback+0xb8
0435d7e0 68b69768 3286b286 00000000 68b245ee MSHTML!GlobalWndOnMethodCall+0x115
0435d828 764e62fa 000909b6 0000005b 00000000 MSHTML!GlobalWndProc+0x302
0435d854 764e6d3a 68b245ee 000909b6 00008002 USER32!InternalCallWinProc+0x23


eax=00000001 ebx=00000000 ecx=00000000 edx=765d4758 esi=00000000 edi=00000000
eip=7675561c esp=043dcb38 ebp=043dcb40 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
SHLWAPI!StrCmpNICW+0x13:
7675561c 0fb706          movzx   eax,word ptr [esi]       ds:002b:00000000=????
0:005> kb
ChildEBP RetAddr  Args to Child              
043dcb40 765d5704 00000000 765d4758 00000004 SHLWAPI!StrCmpNICW+0x13
043dcb60 765fcf6f 043dd000 72865284 00000000 urlmon!IsKnownProtocol+0x1e
043dcba4 68903047 007e81e8 00000000 00000000 urlmon!COInetSession::CreateBinding+0xf2
043dcbd8 68902f8f 72865284 00000000 00000000 MSHTML!CTridentFilterHost::CreateInetProtBinding+0x45
043dcc04 689c6406 00000000 00000000 043dd000 MSHTML!CTridentFilterHost::BindToInetProt+0x112
043dce98 689c18ba 72865218 00000000 00000004 MSHTML!CDwnBindData::Bind+0x4ba
043dcec0 689c16f6 00000000 68756ef4 00000000 MSHTML!NewDwnBindData+0x19d
043dcf1c 68a0a3bd 68756ee0 043dd000 6db14b88 MSHTML!CDwnLoad::Init+0x25c
043dcf40 68b62217 043dd000 6db14b88 00000001 MSHTML!CImgLoad::Init+0x43
043dcf68 68b6211d 07083df0 00000000 043dd000 MSHTML!CDwnInfo::SetLoad+0x11e
043dcf88 68b6c334 00000001 043dd000 00000000 MSHTML!CDwnCtx::SetLoad+0x86
043dcfb4 689f1547 00000001 043dd000 00000000 MSHTML!CImgCtx::SetLoad+0x4d
043dd058 689cc92d 00000001 0a4a138c 08df93b0 MSHTML!CDoc::NewDwnCtx2+0x337
043dd088 68ab962d 6fcd52a0 00000001 08df93b0 MSHTML!CDoc::NewDwnCtx+0x5b
043dd0d4 68aba4c3 07083df0 679f53e8 00000004 MSHTML!CImgHelper::FetchAndSetImgCtx+0xfb
043dd0f8 68aba3df 043dd1b8 08df93b0 043dd184 MSHTML!CImgHelper::EnterTree+0x132
043dd16c 6908fd6c 06f03f20 043dd1b8 043dd1b8 MSHTML!CImgHelper::Notify+0x2a4
043dd18c 689c2fa1 043dd1b8 00000001 6f48ea00 MSHTML!CSVGImageElement::Notify+0x2c
043dd1ec 689c2e5f 6f48ea00 6db102d8 689c7aa7 MSHTML!CHtmRootParseCtx::FlushNotifications+0x1b6
043dd1f8 689c7aa7 00000000 74702280 74702280 MSHTML!CHtmRootParseCtx::Commit+0xb

READ FULL POST

Tracing Thread ID of ModLoad and ModFree Events

This log was created by an experimental Windbg extension that is to trace the thread ID of ModLoad/ModFree events. When a module is being unloaded the extension queries the ID of the current thread and compares to the thread ID that loaded the module. If two different threads used to load and to unload the module the extension issues a notification as seen in yellow below.

ModLoad 59440000 00000454          PRNFLDR
ModFree 59440000 00000454 00000454 PRNFLDR
ModLoad 59440000 00000454          prnfldr
ModLoad 74b90000 00000454          WINSPOOL
ModLoad 5aa30000 00000454          prncache
ModLoad 74950000 00000454          RpcRtRemote
ModLoad 673a0000 00000454          actxprxy
ModLoad 6b180000 00000454          ieproxy
ModLoad 5a9f0000 00000454          thumbcache
ModLoad 5fcc0000 00000454          ieframe
ModLoad 75800000 00000454          api-ms-win-downlevel-ole32-l1-1-0
ModLoad 74490000 00000454          api-ms-win-downlevel-shlwapi-l2-1-0
ModLoad 74470000 00000454          api-ms-win-downlevel-advapi32-l2-1-0
ModLoad 6b250000 00000454          api-ms-win-downlevel-shell32-l1-1-0
ModFree 5aa30000 0000055c 00000454 prncache
-->prncache (5aa30000) is allocated by thread id 454 but freed by 55c
ModLoad 55250000 00000454          NPSWF32_11_7_700_169
ModLoad 771d0000 00000454          urlmon
ModLoad 6c310000 00000454          DSOUND
ModLoad 744a0000 00000454          POWRPROF
ModLoad 735a0000 00000454          mlang

I observed that normally the same thread is responsible to load and to unload the module. However, that's not always the case. If you can force a context switch on the code path of dereference, and to get the unloading thread to trigger ModFree, you could end up to dereference freed memory.

READ FULL POST

Expired Pointers of an Exported DLL Function

Once the dynamic-link library (DLL) is loaded in the memory, the address of an exported function is usually retrieved. The address is copied into a variable. Before the program executes the exported function, it retrieves its address from the variable. A potential vulnerability exists if the DLL is unloaded but the variable still contain the address of the exported function that was previously valid.

Here is one approach to get started the investigation into a potential vulnerability.

Let's assume the debugger executes the target application. We configure it to break-in when a DLL is unloaded. We know the base address and the size of the DLL as the debugger displays it. When the debugger breaks in we search for pointers that fall into this region. We set data access breakpoint for each pointer, and resume the execution to see if the pointers are accessed.

We may find that some of the pointers set to NULL when the breakpoint is triggered. This is most likely to prevent the access to invalid memory.

We may find that other expired pointers get copied into another memory location. This could be suspicious as we don't normally read expired pointers, albeit, often whole structures get copied even if they contain members that are no longer used.

We may find that some of the breakpoints are not triggered, and we need to analyze further if they can be reached from the execution flow.

READ FULL POST

Sample Pintools for Visual Studio

Creating a Visual Studio Project for Pintools (32-bit)

• Start Visual Studio 2010 and create a new Win32 Project.
• In the Win32 Application Wizard, select DLL for Application type, and tick Empty project in the Additional options.
• Create directory Pin in the Solution folder and copy Pin framework here.
• Copy Pin\source\tools\ManualExamples\inscount0.cpp to the Project folder. This is a sample Pintools file. Add the copied inscount0.cpp to the project.
• Set Active Configuration to Release.
• Add the following to the Additional Include Directories:

$(SolutionDir)Pin\source\include\pin;$(SolutionDir)Pin\source\include\pin\gen;$(SolutionDir)Pin\extras\xed2-ia32\include;$(SolutionDir)Pin\extras\components\include;%(AdditionalIncludeDirectories)

• Add the following to the Additional Library Directories:

$(SolutionDir)Pin\ia32\lib;$(SolutionDir)Pin\ia32\lib-ext;$(SolutionDir)Pin\extras\xed2-ia32\lib;%(AdditionalLibraryDirectories)

• Add the following to the Preprocessor:

TARGET_WINDOWS
TARGET_IA32
HOST_IA32

• Set Enable C++ Exceptions to No, and set Runtime Library to Multi-threaded (/MT).
• Add the following to the Additional Dependencies in the Linker settings:

ntdll-32.lib
libxed.lib
pin.lib
pinvm.lib
libcmt.lib
libcpmt.lib

• Set Ignore All Default Libraries to Yes (/NODEFAULTLIB).
• Set Entry Point to Ptrace_DllMainCRTStartup@12.
• Add the following to the Additional Options of the Command Line linker option:

/EXPORT:main

Downloading&Building Sample Pintools for Visual Studio

• To download Sample Pintools Project created with the above settings click here [SkyDrive].
• Open the solution file in Visual Studio and set the active configuration to Release.
• Create directory Pin in the Solution folder and copy Pin framework here.
• Copy Pin\source\tools\ManualExamples\inscount0.cpp to the Project folder. This is a sample Pintools file.
• Build the project.

READ FULL POST

Flash Player Unloading Vulnerability

Opera unloads Flash Player after two minutes of not being used. Flash Player can create dialog that can run even when the player itself is unloaded. When it's unloaded, the running dialog makes a call back to the unloaded module, in a time window.

If an attacker can exploit the time window between the unload and the dereference, it's possible to redirect the execution flow.

While experimenting, I used heap spray to inject 0xCC bytes to the deleted memory. I succeeded once of many attempts and this suggests it's practically possible to create an exploit that could inject malicious code within the time window.

When investigated this vulnerability, I wanted evidence to the question: what module unloads the Flash Player? I used Windbg to place breakpoint at unload events. I let the application to trigger the unload events, and when the debugger hit the breakpoint, printed the call stack.

0:014> sxe ud
0:014> g
Unload module C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll at 54760000
eax=00000000 ebx=035f5584 ecx=00000000 edx=00000000 esi=035f5bc8 edi=00000000
eip=77b1fc72 esp=0037dab0 ebp=0037db30 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200246
ntdll!ZwUnmapViewOfSection+0x12:
77b1fc72 83c404          add     esp,4
0:000> kc
ntdll!ZwUnmapViewOfSection
ntdll!LdrpUnloadDll
ntdll!LdrUnloadDll
KERNELBASE!FreeLibrary
WARNING: Stack unwind information not available. Following frames may be wrong.
Opera_534b0000!OpSetSpawnPath
Opera_534b0000!OpWaitFileWasPresent

I saw the Flash Player was freed by Opera indeed.

I needed the answer for the question also: what module created the thread that calls back to the unloaded module? Here are the series of Windbg commands used to get the answer.

sxn et
sxn ud
bp CreateRemoteThreadEx "kc; gu; !handle eax 8; gc"
g

KERNELBASE!CreateRemoteThreadEx
kernel32!CreateThreadStub
WARNING: Stack unwind information not available. Following frames may be wrong.
NPSWF32_11_4_402_287!native_ShockwaveFlash_TCallLabel
Opera_534b0000!OpGetNextUninstallFile
Opera_534b0000!OpGetNextUninstallFile
NPSWF32_11_4_402_287!NP_Shutdown
NPSWF32_11_4_402_287
NPSWF32_11_4_402_287!DllUnregisterServer
Opera_534b0000!OpWaitFileWasPresent
ntdll!TppPoolReserveTaskPost
ntdll!TppTimerpSet
Opera_534b0000!OpGetNextUninstallFile
Opera_534b0000!OpSetLaunchMan
Opera_534b0000!OpSetLaunchMan
Handle a20
  Object Specific Information
    Thread Id   88ac.1700
    Priority    10
    Base Priority 0
    Start Address 5497083d NPSWF32_11_4_402_287!native_ShockwaveFlash_TCallLabel
ModLoad: 6bda0000 6bdd0000   C:\Windows\SysWOW64\wdmaud.drv
ModLoad: 72cb0000 72cb4000   C:\Windows\SysWOW64\ksuser.dll
ModLoad: 6d9e0000 6d9e7000   C:\Windows\SysWOW64\AVRT.dll
ModLoad: 6cad0000 6cad8000   C:\Windows\SysWOW64\msacm32.drv
ModLoad: 6bd80000 6bd94000   C:\Windows\SysWOW64\MSACM32.dll
ModLoad: 6bd70000 6bd77000   C:\Windows\SysWOW64\midimap.dll
Exit thread 6:3f90, code 0
Exit thread 7:4074, code 0
Unload module C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll at 54760000
Unload module C:\Windows\system32\WINSPOOL.DRV at 736f0000
(88ac.1700): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000102 ebx=00000000 ecx=75a914d0 edx=00000000 esi=11c8d000 edi=11c8d470
eip=549706c0 esp=0aacfd38 ebp=0aacfd80 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
<Unloaded_NPSWF32_11_4_402_287.dll>+0x2106c0:
549706c0 ??              ???

I saw that thread 88ac.1700 is created by the Flash Player. When the player is unloaded the thread is still running. Finally, the thread calls back to the unloaded module. Therefore, I knew Flash Player created the thread that calls back to its own module that has been unloaded.

And here is some interesting observation.

When started to look into triggering a dialog in Flash Player I created the following ActionScript that executes an infinite loop.

class InfiniteLoop {
static function main() {
           for (var i = 0; i < 1;) {}
}
}

I built the Flash file with the command below.

mtasc.exe -swf InfiniteLoop.swf -main -header 125:125:20 InfiniteLoop.as

The Flash file triggers a slow script warning dialog. I was able to unload and to crash the Flash Player while the dialog was still running. I achieved this with version 11.4.402.278. When reported the problem to Opera they couldn't reproduce it. That time there was a Flash Player update, and I found it out that they used the latest version of Flash Player that was 11.4.402.287. With the latest version, I couldn't reproduce the problem either.

It got me thinking if Adobe fixed security problem either silently or "accidentally". When I checked the release notes of the latest version I didn't see indication of this kind of fix. I still don't know what had happened between the two releases but thought to investigate this issue further. I tried to trigger the bug via different code paths. I looked at my Flash file collection to dig out a file that triggers a dialog. And here it is, with the one I found, I could crash the player with the same call stack as before.

Initially, I thought Opera could fix this issue by leaving the module permanent in the address space, so I reported this to Opera. However, they notified Adobe after confirming it's not the problem in Opera (though they considered it as a stability issue). Adobe received the report at the end of November, 2012. The bug is now fixed in the security update that has a number of APSB13-09 at 12 March, 2013.

The preliminary version of this blog post was reviewed by Adobe. The preliminary version is same to the published version apart from some changes in the wording.

READ FULL POST

Doggy Foods Strategies Publication : Doggy Foods Strategies Get

Puppies are usually mans most appropriate pal and also hands down the most liked kinds animals. A lot of consider pet dogs element of these family members or perhaps as their personal youngster.
We offer the most notable remedy we could, coming from recognize company puppy dog foods to be able to health-related remedy, toys and games, and more, it is necessary pricey. Nevertheless, plenty of puppies are merely inside the aspect of these precious grasp for almost any ten years for the most part. Reniforme disappointment, malnutrition, intestinal plan health conditions, therefore a number of additional concerns can easily take into account out the precious puppies before they will have the possiblity to increase antique. It truly is this kind of disaster to pay thus a whole lot as well as earnings getting excellent care in our puppies to provide up like that. Properly, maybe you have considered which you could probably in fact poisioning your puppy every single day simply by giving these mercantil puppy dog foods? Sadly, this can be the truth.

Mercantil doggy food items producers, it is necessary huge or perhaps small the brand name will be, try out each way to boost their particular income. As opposed to genuinely patient your new puppy, they can probably make use of slaughter residence waste materials, infected dog charpente including chemical compounds and various low-nutritious factors to lessen fees. All these are generally not groundless rumours. Tim Lewis, creator of the most effective advertising guidebook Doggy Foods Strategies, performed many years of study to obtain the actuality concerning family pet food items right after his or her puppy dog perished immediately after simply several a very long time regarding lifestyle.

Following hearing about each of the hazards of mercantil doggy foods, maybe you want to try out additional concerns to be able to nourish your puppy. But if you may nourish your puppy commerical doggy dishes, just what and then? You may get just about all you have to pick inside Doggy food items insider secrets, as an example crucial vitamins and minerals that will k-9s will need, several dishes which can be speedy to be able to prepare food despite the fact that getting the two nourishing and also gooey for that family pet. Should you favor to nourish your puppy together with individual foods, make sure you do have a check out inside set of dangerous individual foods to be able to puppies in the guidebook very first. You will find additionally a big number of knowledge concerning health and fitness remedy, diet, shots, food handle and in addition tips and ideas to instruct an individual techniques to help to make heathy treats.

Using a while regarding reasearches and a genuine dog-loving coronary heart, Lewis is incredibly assured within the publication. In case you are not happy for the guidebook for the result in, it is possible to acquire your entire earnings returning with no supplying once more the particular publication.
With all the ease the particular publication plus your enjoy, difficult a dream to give your current dog's life-time to enable you to in fact enjoy several happy and also nutritious yrs each!

READ FULL POST

Super deals about exhaustive affordable vacation packages

Delight expend involving leisure time is certainly much loveable to all or any among us. Explanation everyone in business is adore to getaway in your trips if we hold the the perfect time to expedition a number of spots. With this modern-day age everyone is looking to merely expend their very own leisure time with virtually no anxiety or any other nervousness. As a result they each looking to prepare their very own trips while using instruction or maybe arranging involving expedition coordinator or maybe coders. Several features added to typically the expedition ideas with this form of arranging. Are often times vacation packages are generally this sort of famous sort of expedition arranging where vacationer does not need to concern yourself with their very own resorts or maybe fooding or maybe of these expedition software.

About in which bank account typically the deal expedition arranging along with discounts are definitely the sizzling favored in connection with trips exhaustive. By way of such type of expedition technique everyone can receive the effective elements of expedition. Throughout below vacationer will get typically the every answer expedition deal company. Via expedition about to priced arranging plus the overall expedition software are generally put in place by simply this sort of service agency. With the Exhaustive getaway, all of your current refreshments inside the from the price tag, and that means you is not going to ought to pay to take pleasure from evening meal. Included in the package see that almost all lodge pursuits along with leisure are generally bundled way too. And so in the moment anyone appear towards your airline flight property, you may take pleasure in whatever amount since you similar to.

With this modern-day time period any time each everyone is relying on the world wide web, there are several selections for features throughout expedition software. Each bargain in connection with are often times vacation packages are generally presents on the vacationer with various features. Individuals features are generally involves typically the every day paying for you to planning the desire travels. There are actually a lot of Affordable Trips to locate along with reserve on the web. As a result reserve an economical getaway or maybe affordable airline flight to your substantial number of major resorts throughout spots throughout the world, using package offers in the United kingdom's top rated Tour guides. Look for along with reserve exhaustive trips, vacation cruises, Aircraft along with Snowboarding trips in the favored spots or maybe learn a place brand spanking new with a splash ideas via each of our vacation spot courses.

Each of our exhaustive holidaysare suitable for any individual buying a bust of their billfolds, especially when you aren't vacationing being a class or maybe household. Is actually top rated spots worldwide available, you are going to rapidly realize why jooxie is typically the United kingdom's number one getaway firm}. Decide on numerous types of exhaustive trips to a few the top major resorts on the globe. Looking for trips for anyone for most financial constraints. Look for each of our on the web arranging technique at this point for any exhaustive getaway great buy. We live gurus to locate affordable package offers for you to some actors exhaustive motels along with your five legend exhaustive motels out of all top rated major resorts. Distinctive vacation savings you'll not get somewhere else. While exhaustive Trips can be a best probability to have fun away from challenges of along with property. You may only loosen up from the expertise the dish along with take in on your bash is usually coated on your full continue to be. For this reason just to delight in your own personal getaway, whichever preferences, whether intended for basking in the sun with the water which has a fine reserve, participating in some sort of spherical involving the game of golf or maybe testing surfing etc,. The selection is yours to make.

 Find the related info about vacation through the Vietnam Mountains.

READ FULL POST

computer animation 3d software along with VFX Work opportunities

computer animation 3d software work opportunities, in addition to VFX work opportunities are generally intriguing along with beneficial throughout mother nature. Currently, market sectors for instance television set, video, promotion, along with game playing are generally routinely in search of accomplished persons, proficient throughout computer animation 3d software along with visual effects to function into their several jobs.

computer animation 3d software along with VFX work opportunities normally call for a combination of both equally inventive along with techie knowledge. When having the position apps, a company normally investigations typically the individual’s show-reel in addition to her or his cv. Some sort of show-reel performs such as a aesthetic cv exactly where components of typically the individual’s personalized in addition to business oriented job when it comes to movement along with VFX, are generally collaborated in a limited cinematic. To acquire a3D animationor VFX task, persons should get expertise and turn one of several pursuing pros.

Visual Effects Musician

A visible consequences musician can be a man or woman liable for generating photorealistic aesthetic aspects, that happen to be essential in the are living motion or maybe movement video, Tv ad, gaming venture, along with other sorts of cinematic musicals or plays. Visual effects features for the are living motion video usually are hyper-real graphics which might be sometimes improper or maybe not possible for you to blast. Visual effects musician might often work towards associated with wire connections used throughout manufacturing blast of any stuntman or maybe actor or actress hovering, pouncing, or maybe undertaking tricks with the aid of wire connections along with connectors. Aren't used . also movement video, visual effects musician might require to generate a variety of aspects for instance excellent skiing conditions, bad weather, sandstorm, earthquake, water swells, explosions, gunfire, etc ..

Lights Musician

Some sort of lights musician normally performs as well as are living motion production’s lights representative along with cinematographer. Some sort of lights musician is the reason00 generating lights rigs, and he or maybe this lady patterns what sort of manufactured or maybe sunlight should certainly tumble upon typically the aesthetic portions of typically the landscape. Typically the musician decides a fashionable lights style to the natural environment, materials along with personas, providing there may be persistence throughout what sort of lights is employed throughout every single hit. Typically the musician uses particular lights computer software, making use of correct dark areas, illustrates along with lights solutions in all of production’s natural environment.

Feel Musician

To further improve typically the aesthetic aspects, some sort of feel musician results in along with does apply suitable ordre, colorings, along with several exterior qualities with each 3 DIMENSIONAL type essential in the manufacturing. The position calls for you are using layers typically the materials with a persona type or possibly a levels road create remaining splashes from the external splashes of any persona or maybe thing. Typically the musician calls for knowledge throughout photo croping and editing computer software for instance Photoshop yet others the same.

Increasing expertise and having one of several earlier mentioned musician could absolutely to have specific some sort of computer animation 3d software or maybe VFX employment in manufacturing.

 Here by, CMetricstudio3D Animation Development Services-Architecture and Interior Design for your enrichment of3D animation

READ FULL POST

Integer Overflow and Memory Failures in WavPack

The common consequences of the integer overflow are denial-of-service and out-of-bounds memory access. What I'm describing here is neither of them but rather a rare consequence I discovered recently.

WavPack is an open source project providing audio compression and decompression. The project consists of the library and utilities exercising the library. The library compresses and decompresses Wav and WavPack streams. It's used in several software (e.g. WinZip) and hardware. One of the utilities called WVUNPACK decompresses the WavPack file.

I'm discussing a bug in WVUNPACK that is not shipped with the 3rd party products using WavPack library, and so the bug doesn't affect 3rd party products but WVUNPACK only.

WVUNPACK has an undocumented command line switch k that allows the user to control the size of the buffer to operate with. This switch expects a number to calculate the size of the buffer with.

case 'K': case 'k':
    outbuf_k = strtol (++*argv, argv, 10);

outbuf_k is int, and its value is controlled by the user. Assume the user calls WVUNPACK specifying -k4194303 in the command line. The integer after k is copied to outbuf_k. Note, 4194303 is 0x3fffff.

The program calculates the size of the buffer to operate with. However, there is an integer overflow when calculating output_buffer_size and it becomes 0xfffffc00 after the execution of the code snippet below.

if (outbuf_k)
    output_buffer_size = outbuf_k * 1024;

The program attempts to allocate memory with 0xfffffc00. The allocation fails, and the returning pointer that is NULL is not sanity-checked.

output_pointer = output_buffer = malloc (output_buffer_size);

Without detecting the memory allocation failure, the execution continues and the decompression is starting by creating an output file and writing a header in it.

if (!DoWriteFile (outfile, WavpackGetWrapperData (wpc), WavpackGetWrapperBytes (wpc), &bcount) ||

The program unpacks the content of the file to a temporary buffer.

samples_unpacked = WavpackUnpackSamples (wpc, temp_buffer, samples_to_unpack);

However, the block within the if statement is not reached because output_buffer is NULL, and so the decompressed data is not written to the output.

if (output_buffer) {[...]
        if (!DoWriteFile (outfile, output_buffer, (uint32_t)(output_pointer - output_buffer), &bcount) ||

To recap the issue, the integer overflow causes that the unpacked data is not written to output and there is no error displayed believing the unpacking is successfully completed.

The screenshot below demonstrates there is no error displayed but when manually checking the file size there is a mismatch.

In addition to that, WVUNPACK supports to calculate and to display MD5 signature to verify the output. This can be enabled by m command line switch. This check is performed on the temporary buffer that is never written to output, therefore the error remains undetected. In fact, the program could display the correct MD5 while the output has different checksum.

Here is the code snippet demonstrates MD5 calculation is performed on temporary buffer.

if (calc_md5 && samples_unpacked) {[...]    MD5Update (&md5_context, (unsigned char *) temp_buffer, bps * samples_unpacked * num_channels);

And here is the screenshot demonstrates the bug in checksum verification.

The bug described above is found in WVUNPACK, however, I'd like to provide information about the library, too, for those use it in 3rd party products. According to WavPack website the library is used in several hardware including jukeboxes, multimedia and network players, and in many software including VLC Media Player.

WavPack library, probably for performance reasons, doesn't check the return value of memory allocation functions. This looks safe when investigating the library on isolation as those seem to work with small buffers and so it's difficult to make the allocation to fail, and to possibly enter in vulnerable paths. However, the library is widespread and used in different systems, and in different software environment, it could even possibly run in browser process. Earlier this year, I proved how to make allocation fails with fixed or small size.

Few examples could access near NULL:

orig_data = malloc (sizeof (f32) * ((flags & MONO_DATA) ? sample_count : sample_count * 2));
memcpy (orig_data, buffer, sizeof (f32) * ((flags & MONO_DATA) ? sample_count : sample_count * 2)); 

[...]

wps->blockbuff = malloc (wps->wphdr.ckSize + 8);
memcpy (wps->blockbuff, &wps->wphdr, sizeof (WavpackHeader));

[...]

riffhdr = wrapper_buff = malloc (wrapper_size);
memcpy (wrapper_buff, WavpackGetWrapperLocation (first_block, NULL), wrapper_size);

READ FULL POST

Using Pintools to Detect Bugs

Recently I spent some time to get into Pin and to explore how feasible to write Pin-based tools to detect programming errors. Here is the summary of my experiment. I think it could be useful for someone who might want to write Pintools.

I had been thinking of dynamic ways to catch programming error without making the detection logic complex. My decision was to write a tool that can detect division by zero errors when the division is performed by a function argument. The tool works as follows.

The tool inspects division instructions that are reading stack via EBP.

   if (INS_Opcode(ins) == XED_ICLASS_IDIV || INS_Opcode(ins) == XED_ICLASS_DIV)
   {
[...]
      if (INS_IsStackRead(ins) && INS_RegRContain(ins, REG_EBP) && INS_IsMemoryRead(ins))
      {
         INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)TrackDivisionByArg, IARG_INST_PTR, IARG_MEMORYREAD_EA, IARG_REG_VALUE, REG_EBP, IARG_END);
      }

Since the function arguments are stored at EBP+XX it's possible to detect when a division is performed by a function argument.

VOID TrackDivisionByArg(ADDRINT inst_ptr, ADDRINT memoryread_ea, ADDRINT reg_ebp)
{
   // Do we read argument of the function (EBP+XX)?
   if (memoryread_ea >= reg_ebp)
   {
[...]

However, this doesn't mean there is a division by zero error because there might be a test for zero. To filter out obvious false positives the tool inspects if the parameter is accessed before the division.

   else if ((INS_Opcode(ins) == XED_ICLASS_CMP || INS_Opcode(ins) == XED_ICLASS_MOV) && INS_IsStackRead(ins) && INS_RegRContain(ins, REG_EBP) && INS_OperandIsImmediate(ins, 1))
   {
      INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)TrackAccessToArgs, IARG_INST_PTR, IARG_MEMORYREAD_EA, IARG_REG_VALUE, REG_EBP, IARG_REG_VALUE, REG_ESP, IARG_END);
   }

The tool checks the functions on isolation so if the function parameter is checked for zero by the caller the program may report division by zero error. This is the consequence of the design.

The tool uses std::map data structure to maintain the state of the analysis. It also contains other research implementation that is not mentioned in this blog post. The source code is available to download here.

If you use std::map functions you have to use mutex and write lock to protect the data structure from potential corruption unless the target uses no threads.

To get better performance it's better to do analysis once the application exists rather than on-the-fly. However, this increases the memory footprint as the data can be accumulating during the execution.

Sometimes it might be a good idea to use Window Beep function to make noise if a bug is detected.

While it's possible to write efficient Pintools to detect bugs, sometimes if the tool is made to depend on the target application it can perform better.

READ FULL POST