不下两分钟已经弄崩四五次了，出现这么个栈调用，大家也都知道是什么情况了吧：

0:000> kvn
 # ChildEBP RetAddr  Args to Child              
00 00128688 7c92de5c 7c801e3a ffffffff c0000409 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
01 0012868c 7c801e3a ffffffff c0000409 001289d4 ntdll!ZwTerminateProcess+0xc (FPO: [2,0,0])
02 0012869c 004c9453 ffffffff c0000409 310a3291 kernel32!TerminateProcess+0x20 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
03 001289d4 004712e9 0000011e 0324028a 00000109 360zip+0xc9453

打开wps就崩溃，看看啥原因呗，为了防止被它的异常上报程序捕获，首先先挂上调试器

(1e60.1a6c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for D:\Program Files (x86)\Kingsoft\WPS Office\9.1.0.4867\office6\officespace.DLL - 
eax=00000000 ebx=00000011 ecx=0036ee80 edx=003428c3 esi=776a8ad0 edi=00000000
eip=7748f3c4 esp=09b3fd00 ebp=09b3fd0c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
officespace!KActiveLoginInfoCache::vipUrl+0x9e8:
7748f3c4 8b480c          mov     ecx,dword ptr [eax+0Ch] ds:002b:0000000c=????????

看看栈

0:017> kvn
 # ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 09b3fd0c 7749235b acc53f64 00000000 09b3fd8c officespace!KActiveLoginInfoCache::vipUrl+0x9e8
01 09b3fd40 77491f93 09b3fd5c acc53f74 06b50300 officespace!KActiveLoginInfoCache::vipUrl+0x397f
02 09b3fd74 774996cf acc53f9c 06b50220 06b50300 officespace!KActiveLoginInfoCache::vipUrl+0x35b7
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for D:\Program Files (x86)\Kingsoft\WPS Office\9.1.0.4867\office6\QtCore4.dll - 
03 09b3fdb8 668fb948 00000000 00000000 09b3fe00 officespace!KActiveLoginInfoCache::vipUrl+0xacf3
04 09b3fdc8 57b7c556 06b50300 acb26a30 00000000 QtCore4!QThread::setPriority+0x25d
05 09b3fe00 57b7c600 00000000 09b3fe18 76a0338a MSVCR100!_endthreadex+0x3f (FPO: [Non-Fpo])
06 09b3fe0c 76a0338a 06cc4178 09b3fe58 771c9f72 MSVCR100!_endthreadex+0xce (FPO: [Non-Fpo])
07 09b3fe18 771c9f72 06cc4178 2660fcd4 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
08 09b3fe58 771c9f45 57b7c59c 06cc4178 00000000 ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
09 09b3fe70 00000000 57b7c59c 06cc4178 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

看看出错的东西是哪儿来的吧

7748f3a7 55              push    ebp
7748f3a8 8bec            mov     ebp,esp
7748f3aa 51              push    ecx
7748f3ab 53              push    ebx
7748f3ac 57              push    edi
7748f3ad 8d45fc          lea     eax,[ebp-4]
7748f3b0 50              push    eax
7748f3b1 ff1518e45b77    call    dword ptr [officespace!KQingClient::trUtf8+0x7a638 (775be418)]
7748f3b7 8d4dfc          lea     ecx,[ebp-4]
7748f3ba ff151ce45b77    call    dword ptr [officespace!KQingClient::trUtf8+0x7a63c (775be41c)]
7748f3c0 8bd8            mov     ebx,eax
7748f3c2 8b06            mov     eax,dword ptr [esi]
0:017> ?(.-7748f3a7)
Evaluate expression: 29 = 0000001d
0:017> r
eax=00000000 ebx=00000011 ecx=0036ee80 edx=003428c3 esi=776a8ad0 edi=00000000
eip=7748f3c4 esp=09b3fd00 ebp=09b3fd0c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
officespace!KActiveLoginInfoCache::vipUrl+0x9e8:
7748f3c4 8b480c          mov     ecx,dword ptr [eax+0Ch] ds:002b:0000000c=????????
0:017> ?(0x9e8-0x1d)
Evaluate expression: 2507 = 000009cb
0:017> x officespace!KActiveLoginInfoCache::vipUrl+000009cb

那就是这里了，断下重启，

Breakpoint 0 hit
eax=0b1cf83c ebx=00000000 ecx=0b1cf864 edx=00d40174 esi=05fc8ad0 edi=00000000
eip=05daf3a7 esp=0b1cf818 ebp=0b1cf848 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
officespace!KActiveLoginInfoCache::vipUrl+0x9cb:
05daf3a7 55              push    ebp
0:017> dd esi
05fc8ad0  00000000 00000001 05f5c5e4 06fefc48
05fc8ae0  00000000 00000000 00000000 66d13d90
05fc8af0  00000000 66d13d90 66d13d90 00000000
05fc8b00  66d13d90 66d13d90 00000000 66d13d90
05fc8b10  66d13d90 66d13d90 66d13d90 66d13d90
05fc8b20  00000000 66d13d90 66d13d90 66d13d90
05fc8b30  66d11874 00000000 66d13d90 00000000
05fc8b40  66d13d90 66d13d90 00000000 00000001
0:017> p
eax=0b1cf83c ebx=00000000 ecx=0b1cf864 edx=00d40174 esi=05fc8ad0 edi=00000000
eip=05daf3a8 esp=0b1cf814 ebp=0b1cf848 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
officespace!KActiveLoginInfoCache::vipUrl+0x9cc:
05daf3a8 8bec            mov     ebp,esp
0:017> 
eax=0b1cf83c ebx=00000000 ecx=0b1cf864 edx=00d40174 esi=05fc8ad0 edi=00000000
eip=05daf3aa esp=0b1cf814 ebp=0b1cf814 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
officespace!KActiveLoginInfoCache::vipUrl+0x9ce:
05daf3aa 51              push    ecx
0:017> 
eax=0b1cf83c ebx=00000000 ecx=0b1cf864 edx=00d40174 esi=05fc8ad0 edi=00000000
eip=05daf3ab esp=0b1cf810 ebp=0b1cf814 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
officespace!KActiveLoginInfoCache::vipUrl+0x9cf:
05daf3ab 53              push    ebx
0:017> 
eax=0b1cf83c ebx=00000000 ecx=0b1cf864 edx=00d40174 esi=05fc8ad0 edi=00000000
eip=05daf3ac esp=0b1cf80c ebp=0b1cf814 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
officespace!KActiveLoginInfoCache::vipUrl+0x9d0:
05daf3ac 57              push    edi
0:017> 
eax=0b1cf83c ebx=00000000 ecx=0b1cf864 edx=00d40174 esi=05fc8ad0 edi=00000000
eip=05daf3ad esp=0b1cf808 ebp=0b1cf814 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
officespace!KActiveLoginInfoCache::vipUrl+0x9d1:
05daf3ad 8d45fc          lea     eax,[ebp-4]
0:017> 
eax=0b1cf810 ebx=00000000 ecx=0b1cf864 edx=00d40174 esi=05fc8ad0 edi=00000000
eip=05daf3b0 esp=0b1cf808 ebp=0b1cf814 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
officespace!KActiveLoginInfoCache::vipUrl+0x9d4:
05daf3b0 50              push    eax
0:017> 
eax=0b1cf810 ebx=00000000 ecx=0b1cf864 edx=00d40174 esi=05fc8ad0 edi=00000000
eip=05daf3b1 esp=0b1cf804 ebp=0b1cf814 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
officespace!KActiveLoginInfoCache::vipUrl+0x9d5:
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for D:\Program Files (x86)\Kingsoft\WPS Office\9.1.0.4867\office6\QtCore4.dll - 
05daf3b1 ff1518e4ed05    call    dword ptr [officespace!KQingClient::trUtf8+0x7a638 (05ede418)] ds:002b:05ede418={QtCore4!QDateTime::time (665bffde)}
0:017> 
eax=0b1cf810 ebx=00000000 ecx=03ddee82 edx=00d40174 esi=05fc8ad0 edi=00000000
eip=05daf3b7 esp=0b1cf808 ebp=0b1cf814 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
officespace!KActiveLoginInfoCache::vipUrl+0x9db:
05daf3b7 8d4dfc          lea     ecx,[ebp-4]
0:017> 
eax=0b1cf810 ebx=00000000 ecx=0b1cf810 edx=00d40174 esi=05fc8ad0 edi=00000000
eip=05daf3ba esp=0b1cf808 ebp=0b1cf814 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
officespace!KActiveLoginInfoCache::vipUrl+0x9de:
05daf3ba ff151ce4ed05    call    dword ptr [officespace!KQingClient::trUtf8+0x7a63c (05ede41c)] ds:002b:05ede41c={QtCore4!QTime::hour (665bf3d9)}
0:017> 
eax=00000012 ebx=00000000 ecx=0036ee80 edx=00012982 esi=05fc8ad0 edi=00000000
eip=05daf3c0 esp=0b1cf808 ebp=0b1cf814 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
officespace!KActiveLoginInfoCache::vipUrl+0x9e4:
05daf3c0 8bd8            mov     ebx,eax
0:017> 
eax=00000012 ebx=00000012 ecx=0036ee80 edx=00012982 esi=05fc8ad0 edi=00000000
eip=05daf3c2 esp=0b1cf808 ebp=0b1cf814 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
officespace!KActiveLoginInfoCache::vipUrl+0x9e6:
05daf3c2 8b06            mov     eax,dword ptr [esi]  ds:002b:05fc8ad0=00000000
0:017> 
eax=00000000 ebx=00000012 ecx=0036ee80 edx=00012982 esi=05fc8ad0 edi=00000000
eip=05daf3c4 esp=0b1cf808 ebp=0b1cf814 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
officespace!KActiveLoginInfoCache::vipUrl+0x9e8:
05daf3c4 8b480c          mov     ecx,dword ptr [eax+0Ch] ds:002b:0000000c=????????

看看这个值哪儿来的？

05db22b1 bed08afc05      mov     esi,offset officespace!KxKuaiPanInfoGetter::staticMetaObject+0x5998 (05fc8ad0)

0:017> dd 05fc8ad0
05fc8ad0  00000000

果然是空指针，往上追溯：

05db22ff 8b0d74ffed05    mov     ecx,dword ptr [officespace!KQingClient::trUtf8+0x7c194 (05edff74)]
...
05db2307 890dd08afc05    mov     dword ptr [officespace!KxKuaiPanInfoGetter::staticMetaObject+0x5998 (05fc8ad0)],ecx

在officespace里面，那么重启，加ba r1：

0:000> sxe ld officespace
0:000> g
ModLoad: 0f3e0000 0f63b000   D:\Program Files (x86)\Kingsoft\WPS Office\9.1.0.4867\office6\officespace.DLL
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=7efdd000 edi=0032edf4
eip=771afc62 esp=0032ecc8 ebp=0032ed1c iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!ZwMapViewOfSection+0x12:
771afc62 83c404          add     esp,4
0:000> x officespace!KQingClient::trUtf8
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for D:\Program Files (x86)\Kingsoft\WPS Office\9.1.0.4867\office6\officespace.DLL - 
0f4a3d9b          officespace!KQingClient::trUtf8 (<no parameter info>)
0f4a3de0          officespace!KQingClient::trUtf8 (<no parameter info>)
0:000> ba r1 0f4a3d9b+0x7c194 "r;k;g;"
0:000> ba r1 0f4a3de0+0x7c194 "r;k;g;"
0:000> g

结果，大家都知道是为啥了：

eax=66a81874 ebx=00000000 ecx=00000001 edx=00000471 esi=075d42e8 edi=00000000
eip=0f3eb76d esp=0032d188 ebp=0032d1a4 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200206
officespace!KxKuaiPanInfoGetter::qt_metacall+0x6483:
0f3eb76d 894610          mov     dword ptr [esi+10h],eax ds:002b:075d42f8=baadf00d

0:017> ln 66a81874
(66a81874)   QtCore4!QListData::shared_null   |  (66a81a40)   QtCore4!QMapData::shared_null
Exact matches:
    QtCore4!QListData::shared_null (<no parameter info>)

SetContext failed, 0x80070005
MachineInfo::SetContext failed - Thread: 04CE8F30  Handle: 840  Id: 4174 - Error == 0x80070005
eax=66a81874 ebx=00000001 ecx=00006379 edx=00006378 esi=66536c1f edi=0f608a18
eip=0f44681f esp=0032d1e0 ebp=0032d204 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
officespace!qt_test_isFetchedRoot+0x1d040:
0f44681f a3548a600f      mov     dword ptr [officespace!KxKuaiPanInfoGetter::staticMetaObject+0x591c (0f608a54)],eax ds:002b:0f608a54=00000000
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
0032d204 0f446765 officespace!qt_test_isFetchedRoot+0x1d040
0032d228 0f48a913 officespace!qt_test_isFetchedRoot+0x1cf86
0032d260 0f3e75f2 officespace!verify+0x18999
0032d26c 664d5bce officespace!KxKuaiPanInfoGetter::qt_metacall+0x2308

先埋坑，旧的那些IE的坑填完了再写这篇好了。

漏洞作者：blast
来源：http://nul.pw/

0:012> g
(2e40.2d4c): Access violation - code c0000005 (!!! second chance !!!)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for F:\Windows\system32\xvidcore.dll -

xvid是一种规范的编码格式，它属于mpeg4 part 2规范。那开源的xvid解析器在解析所有的mp4时都是正确的吗？显然不是，看看这一个例子吧。

xvidcore在解析一个畸形的mp4文件时，处理vop可能发生整数下溢。vop可以极为简化的理解为帧，当然两者还是有区别的。一个vop的结构看起来像是：

vop_start_code (32 bits - 0x000001B6)
vop_coding_type (2 bits - 0=I, 1=P, 2=B, 3=S)
modulo_time_base (length varies)
marker_bit (1 bit - always 1)
vop_time_increment (length varies)
marker_bit (1 bit - always 1)
vop_coded (1 bit - 0 for NVOPs, 1 otherwise)

0x000001b6 是mpeg4 , part 2 规定的startcode。

在AVS流中，start code是一个特殊的bit形式，每组start code都有start code prefix和start code value。start code prefix是由23个0位和1个1位组成，也即0x00 00 01。所有的start code都是按字节对齐的。

0x000001b6是pb_picture_start_code，这代表了一个P图或者B图的开始。前导帧间预测（P图）和双向帧间预测（B图）由一个2位无符号字符表示，01==P图，02==B图。

一个NAL单元结构如下：

1bit     2bits           5bits            payload information
|-----|----------|-------------------|-----------------
  FZB     NRI                NUT             RBSP
^---------------header---------------^

forbidden-zero-bit
NAL-ref-ide
NAL-unit-type

NAL是网络抽象层的缩写，这个东西主要是为了向网络友好的环境传输数据用的。要把AVS视频流映射成NAL单元，只要把每个0x000001的数据映射到NAL单元中，然后在start code之前增加一个1字节的NAL单元头即可。

如果对这个有兴趣的话，可以参考一下这本书：

http://books.google.com.hk/books?id=6wfGBAAAQBAJ&pg=PA71&lpg=PA71&dq=0x000001b6&source=bl&ots=ZKA_0DM5aF&sig=WJo619-gGY188gxxDUKaX4z0HJI&hl=zh-CN&sa=X&ei=kUpsVO6wFISlmQXl5oDoDw&ved=0CDMQ6AEwAzgK#v=onepage&q=0x000001b6&f=false

此bug已提交至官方论坛，bugtrack id 10529，https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10529。
漏洞作者：blast（http://nul.pw）

事发此崩溃：

(14b4.1dd8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for F:\Program Files\Wireshark\Qt5Core.dll - 
*** WARNING: Unable to verify checksum for qtshark.exe
*** ERROR: Module load completed but symbols could not be loaded for qtshark.exe
Qt5Core!QPersistentModelIndex::row:
00000000`5f2d5bd0 488b01          mov     rax,qword ptr [rcx] ds:baadf00d`baadf00d=????????????????

（注：上面这个崩溃是从调试器启动的，所以堆上未初始化的数据是以baadf00d这个填充模式填入的，实际运行时应该是00000000`00000000，上面是越界8字节的情况）

查看崩溃附近的代码：

0:000> ub .
Qt5Core!QPersistentModelIndex::operator!=+0x58:
00000000`5f2d5bc8 cc              int     3
00000000`5f2d5bc9 cc              int     3
00000000`5f2d5bca cc              int     3
00000000`5f2d5bcb cc              int     3
00000000`5f2d5bcc cc              int     3
00000000`5f2d5bcd cc              int     3
00000000`5f2d5bce cc              int     3
00000000`5f2d5bcf cc              int     3
0:000> u .
Qt5Core!QPersistentModelIndex::row:
00000000`5f2d5bd0 488b01          mov     rax,qword ptr [rcx]
00000000`5f2d5bd3 4885c0          test    rax,rax
00000000`5f2d5bd6 7403            je      Qt5Core!QPersistentModelIndex::row+0xb (00000000`5f2d5bdb)
00000000`5f2d5bd8 8b00            mov     eax,dword ptr [rax]
00000000`5f2d5bda c3              ret
00000000`5f2d5bdb 83c8ff          or      eax,0FFFFFFFFh
00000000`5f2d5bde c3              ret
00000000`5f2d5bdf cc              int     3

崩溃发生在Qt5Core!QPersistentModelIndex::row的第一行，函数试图将第一个参数（rcx）解引用给eax时崩溃。

0:000> .frame /c 1
01 00000000`001da420 00000000`5f8755e6 qtshark+0x90612
rax=baadf00dbaadf00d rbx=00000000001da6e8 rcx=baadf00dbaadf00d
rdx=0000000002c04e00 rsi=0000000000000014 rdi=00000000001da630
rip=000000013f820612 rsp=00000000001da420 rbp=00000000001da589
 r8=0000000000008000  r9=0000000000000008 r10=0000000000350268
r11=00000000001d9d88 r12=0000000002d3f300 r13=0000000000000003
r14=0000000002d49d30 r15=0000000002d3f300
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
qtshark+0x90612:
00000001`3f820612 498b4c2448      mov     rcx,qword ptr [r12+48h] ds:00000000`02d3f348=00c4a43f01000000
0:000> dd rcx
baadf00d`baadf00d  ???????? ???????? ???????? ????????
baadf00d`baadf01d  ???????? ???????? ???????? ????????
baadf00d`baadf02d  ???????? ???????? ???????? ????????
baadf00d`baadf03d  ???????? ???????? ???????? ????????
baadf00d`baadf04d  ???????? ???????? ???????? ????????
baadf00d`baadf05d  ???????? ???????? ???????? ????????
baadf00d`baadf06d  ???????? ???????? ???????? ????????
baadf00d`baadf07d  ???????? ???????? ???????? ????????

看看r12是从哪儿传来的，上方有一个mov rcx,rax，

0:000> uf . 
qtshark+0x905e0:
00000001`3f8205e0 4053            push    rbx
00000001`3f8205e2 4154            push    r12
00000001`3f8205e4 4883ec48        sub     rsp,48h
00000001`3f8205e8 488bda          mov     rbx,rdx
00000001`3f8205eb 4c8be1          mov     r12,rcx  ;here
00000001`3f8205ee ff15c4b21100    call    qword ptr [qtshark+0x1ab8b8 (00000001`3f93b8b8)]
00000001`3f8205f4 49837c244800    cmp     qword ptr [r12+48h],0
00000001`3f8205fa 0f84a1010000    je      qtshark+0x907a1 (00000001`3f8207a1)

qtshark+0x90600:
00000001`3f820600 488bcb          mov     rcx,rbx
00000001`3f820603 ff158f931100    call    qword ptr [qtshark+0x1a9998 (00000001`3f939998)]
00000001`3f820609 488bc8          mov     rcx,rax
00000001`3f82060c ff158e931100    call    qword ptr [qtshark+0x1a99a0 (00000001`3f9399a0)]

为了验证，在函数开头下断点，重新启动程序：

0:000> g
Breakpoint 0 hit
qtshark+0x905e0:
00000001`3f3d05e0 4053            push    rbx
0:000> r
rax=000000013f515d48 rbx=0000000002aff6c0 rcx=0000000002aff6c0
rdx=000000000023a488 rsi=0000000000000014 rdi=000000000023a3d0
rip=000000013f3d05e0 rsp=000000000023a218 rbp=000000000023a329
 r8=000000000023a490  r9=000000000023a3d0 r10=000000005fb1a340
r11=000000005fa55228 r12=000000000023a3d0 r13=0000000000000003
r14=0000000002b09fe0 r15=0000000002aff6c0
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
qtshark+0x905e0:
00000001`3f3d05e0 4053            push    rbx

执行期间可以发现：

0:000> 
qtshark+0x90603:
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for F:\Program Files\Wireshark\Qt5Core.dll - 
00000001`3f3d0603 ff158f931100    call    qword ptr [qtshark+0x1a9998 (00000001`3f4e9998)] ds:00000001`3f4e9998={Qt5Core!QList<QItemSelectionRange>::front (00000000`5f962d00)}
0:000> 
qtshark+0x90609:
00000001`3f3d0609 488bc8          mov     rcx,rax
0:000> r rax
Last set context:
rax=baadf00dbaadf00d

看来是Qt5Core!QList::front 的问题，重启bp qtshark+0x90603。

让我们看一下正常的操作是什么：

Breakpoint 0 hit
qtshark+0x90603:
00000001`3f9e0603 ff158f931100    call    qword ptr [qtshark+0x1a9998 (00000001`3faf9998)] ds:00000001`3faf9998={Qt5Core!QList<QItemSelectionRange>::front (00000000`5f462d00)}
0:000> r
rax=0000000000000000 rbx=000000000030a0d8 rcx=000000000030a0d8
rdx=0000000000000000 rsi=0000000000000014 rdi=000000000030a048
rip=000000013f9e0603 rsp=0000000000309e20 rbp=0000000000309f89
 r8=0000000000008000  r9=0000000000000008 r10=00000000003e0268
r11=0000000000309788 r12=0000000002c2f440 r13=0000000000000003
r14=0000000002c39e20 r15=0000000002c2f440
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
qtshark+0x90603:
00000001`3f9e0603 ff158f931100    call    qword ptr [qtshark+0x1a9998 (00000001`3faf9998)] ds:00000001`3faf9998={Qt5Core!QList<QItemSelectionRange>::front (00000000`5f462d00)}

进入之后，

0:000> t
Qt5Core!QList<QItemSelectionRange>::front:
00000000`5f462d00 488b11          mov     rdx,qword ptr [rcx] ds:00000000`0030a0d8=80c6310500000000
0:000> 
Qt5Core!QList<QItemSelectionRange>::front+0x3:
00000000`5f462d03 48634208        movsxd  rax,dword ptr [rdx+8] ds:00000000`0531c688=00000000
0:000> t
Qt5Core!QList<QItemSelectionRange>::front+0x7:
00000000`5f462d07 488b44c210      mov     rax,qword ptr [rdx+rax*8+10h] ds:00000000`0531c690=f0c52d0500000000
0:000> r
rax=0000000000000000 rbx=000000000030a0d8 rcx=000000000030a0d8
rdx=000000000531c680 rsi=0000000000000014 rdi=000000000030a048
rip=000000005f462d07 rsp=0000000000309e18 rbp=0000000000309f89
 r8=0000000000008000  r9=0000000000000008 r10=00000000003e0268
r11=0000000000309788 r12=0000000002c2f440 r13=0000000000000003
r14=0000000002c39e20 r15=0000000002c2f440
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
Qt5Core!QList<QItemSelectionRange>::front+0x7:
00000000`5f462d07 488b44c210      mov     rax,qword ptr [rdx+rax*8+10h] ds:00000000`0531c690=f0c52d0500000000
0:000> t
Qt5Core!QList<QItemSelectionRange>::front+0xc:
00000000`5f462d0c c3              ret
0:000> r
rax=00000000052dc5f0

这一次执行结果是返回了一个指针。

这是不正常的走向：

0:000> r
rax=0000000000000000 rbx=00000000001da648 rcx=00000000001da648
rdx=000007feebae9ff0 rsi=0000000000000014 rdi=00000000001da590
rip=000000013f860603 rsp=00000000001da380 rbp=00000000001da4e9
 r8=0000000000000005  r9=0000000000000069 r10=0000000000000000
r11=0000000000000002 r12=00000000027bf3f0 r13=0000000000000003
r14=00000000027c9e30 r15=00000000027bf3f0
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
qtshark+0x90603:
00000001`3f860603 ff158f931100    call    qword ptr [qtshark+0x1a9998 (00000001`3f979998)] ds:00000001`3f979998={Qt5Core!QList<QItemSelectionRange>::front (00000000`5f962d00)}
0:000> t
Qt5Core!QList<QItemSelectionRange>::front:
00000000`5f962d00 488b11          mov     rdx,qword ptr [rcx] ds:00000000`001da648=10cf6b0200000000
0:000> 
Qt5Core!QList<QItemSelectionRange>::front+0x3:
00000000`5f962d03 48634208        movsxd  rax,dword ptr [rdx+8] ds:00000000`026bcf18=01000000
0:000> 
Qt5Core!QList<QItemSelectionRange>::front+0x7:
00000000`5f962d07 488b44c210      mov     rax,qword ptr [rdx+rax*8+10h] ds:00000000`026bcf28=0df0adba0df0adba
0:000> 
Qt5Core!QList<QItemSelectionRange>::front+0xc:
00000000`5f962d0c c3              ret

由于每次操作会产生2个selection change事件，所以有问题的是第二个操作。

Qt5Core!QList<QItemSelectionRange>::front:
mov     rdx,qword ptr [rcx]
movsxd  rax,dword ptr [rdx+8]
mov     rax,qword ptr [rdx+rax*8+10h]
ret

而这个函数的整个操作就这4行。

rdx = *rcx;
rax = *(rdx+8);
return *(rdx+rax*8+0x10);

综合一下就是：

return *(*rcx+(*(rdx+8))*8+0x10);

实际执行起来是：

return *(*arg1+0x10);

或者

return *(*arg1+0x18);

//取决于选的数量

由于我们没有符号，不知道具体代表什么，但是再出问题的部分，如果执行：

0:000> r
rax=0000000000000001 rbx=000000000015a6c8 rcx=000000000015a6c8
rdx=0000000005143d90 rsi=0000000000000014 rdi=000000000015a610
rip=000000005f462d07 rsp=000000000015a3f8 rbp=000000000015a569
 r8=0000000000008000  r9=0000000000000008 r10=0000000001f30268
r11=0000000000159d68 r12=0000000002d3f220 r13=0000000000000003
r14=0000000002d49bb0 r15=0000000002d3f220
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
Qt5Core!QList<QItemSelectionRange>::front+0x7:
00000000`5f462d07 488b44c210      mov     rax,qword ptr [rdx+rax*8+10h] ds:00000000`05143da8=0df0adba0df0adba
0:000> dd rdx+10
00000000`05143da0  02d678b0 00000000 baadf00d baadf00d
00000000`05143db0  abababab abababab abababab abababab

看到好玩的了吧，这纯粹是越界访问了。那么既然选一个就是+0x8，如果可以选上更多的数据，是否就可以读到后面的0x00000040 00000000呢？我猜应该是可以的吧=v=

0:000> .cxr
Resetting default scope
0:000> dd rdx+10
00000000`05143da0  02d678b0 00000000 baadf00d baadf00d
00000000`05143db0  abababab abababab abababab abababab
00000000`05143dc0  00000000 00000000 00000000 00000000
00000000`05143dd0  00000040 00000000

介绍了很多Internet Explorer的函数、类的东西了，让我们实战演练一下，分析一个至2014年10月3日微软尚未修复的Internet Explorer 11中存在的空指针引用问题。

...
等5天后发布