Re: Opera Browser goes Crash

From: Aaron Lafferty (
Date: 10/23/01

Message-ID: <010801c15bd9$70407d70$9865fea9@VISHNU>
From: "Aaron Lafferty" <>
To: "Holmes, Ben" <>, "Vuln-Dev (E-mail)" <>
Subject: Re: Opera Browser goes Crash
Date: Tue, 23 Oct 2001 11:43:18 -0400

I can confirm this on Opera 5.11 build 904 running on windows 2000 sp2
w/ all critical fixes.

----- Original Message -----
From: "Holmes, Ben" <>
To: "Vuln-Dev (E-mail)" <>
Sent: Tuesday, October 23, 2001 4:53 AM
Subject: Opera Browser goes Crash

> Hash: SHA1
> I usually use Opera browser (it truly is a fast browser), and it just
> when I went to a link...
> The link was ""
> In Netscape, it is supposed to play a sound file...
> In I.E it just comes up and allows to view source.
> The source is basically a small JavaScript part (and that should work
> but the other part is a large embedded sound file.. it is in this form:
> '<embed src="data:audio/wav;base64,[Base 64 data of a sound file]"
> autostart=true width=0 height=0 loop=true>' tag.
> It didn't seem to give an error message or anything.. if it was
> a buffer I'd usually expect that it would generate a windows error message
> when it gets random junk like this... But it just closes.. completely and
> gracefully... but it closes nevertheless..
> I am thinking:
> A> It is a configuration problem on this PC... It decodes the Base 64 (or
> goes to) but some plug in or system it uses to play the file or decode it
> that is possibly specific to this PC dies.
> B> The length of the embed tag is too long and overflows an internal
> and jumps right to a close (either graciously, or by super good error
> checking routines)... Or something else happens that makes windows not
> notice that a program is doing wierd_funky_things (tm)
> C> The "embed" tag is touchy and its implementation is bad, this doesn't
> seem the case though, because if I make the [Base 64 data of a sound file]
> part much smaller, it just does the same as IE does.
> If it is "B"... is it exploitable in the form:
> '<embed src="data:audio/wav;base64,[Nasty code][Padding][address of a jmp
> esp]" autostart=true width=0 height=0 loop=true>'
> or some other such thing, that would cause "Nasty Code" to be run in the
> Opera process.
> Does it happen on anyone else's computer that runs Opera... or is this
> little currently Opera specific DoS also "this computer" specific...
> - -- Benjamin Holmes
> E&OE. All spelling and grammatical errors are for your enjoyment and
> entertainment only and are copyright Benjamin Holmes.
> Version: PGPfreeware 7.0.3 for non-commercial use <>
> Comment: Pee Gee Peeeeee!
> iQA/AwUBO9Uv/HLvuelW5gClEQLO5wCg+K5tXdKdWAiaEBj71BiYnks964wAoJP5
> VvPSGdUiC5c8kZ8/yhA5DZ06
> =XF0I