IE crashes at DHTML module when visiting webpage which contains the DHTML controls

DHTML module was used for enable the HTML editing functionality in legacy IE versions. However, there is still one bug in it. While editing the HTML content which contains the

<font size= [DBCS][WCS] >...

e.g.

<font size=-测试>

That's because GetHint() function in TriEdit only check the argument of current position in char buffer, but it forget to check the position+1 when using it.

Debugging:

0:000> r
eax=0000c724 ebx=052850a8 ecx=00006026 edx=00000889 esi=00000888 edi=0000080f
eip=5b4b9316 esp=0013b224 ebp=0013b230 iopl=0         nv up ei ng nz na pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010287
triedit!GetHint+0x5b:
5b4b9316 66393c4590134c5b cmp     word ptr triedit!g_hintTable (5b4c1390)[eax*2],di ds:0023:5b4da1d8=????

it should be some statements like: if ( triedit!g_hintTable[pos]==0x80f )

0:000> u triedit!GetHint triedit!GetHint+0x5b
5b4b92bb 8bff            mov     edi,edi
5b4b92bd 55              push    ebp
5b4b92be 8bec            mov     ebp,esp
5b4b92c0 53              push    ebx
5b4b92c1 8b5d08          mov     ebx,dword ptr [ebp+8]    <<<<< we got EBX here, first argument, should be base pointer of char buffer
5b4b92c4 56              push    esi
5b4b92c5 8b7510          mov     esi,dword ptr [ebp+10h]   <<<<<< 3rd argument, seems like a pointer
5b4b92c8 0fb70473        movzx   eax,word ptr [ebx+esi*2]   <<<<< ptrBuffer[ptrPos]
5b4b92cc a980ffffff      test    eax,0FFFFFF80h   <<<<< check if it is a DBCS or WCS
5b4b92d1 7409            je      triedit!GetHint+0x21 (5b4b92dc)
5b4b92d3 66b80c90        mov     ax,900Ch
5b4b92d7 e9a4000000      jmp     triedit!GetHint+0xc5 (5b4b9380)
5b4b92dc 57              push    edi
5b4b92dd 33ff            xor     edi,edi
5b4b92df 668b3c4590134c5b mov     di,word ptr triedit!g_hintTable (5b4c1390)[eax*2]
5b4b92e7 57              push    edi
5b4b92e8 897d08          mov     dword ptr [ebp+8],edi
5b4b92eb e838f8ffff      call    triedit!IsSingleOp (5b4b8b28)
5b4b92f0 85c0            test    eax,eax
5b4b92f2 757a            jne     triedit!GetHint+0xb3 (5b4b936e)
5b4b92f4 6681ff0008      cmp     di,800h
5b4b92f9 7473            je      triedit!GetHint+0xb3 (5b4b936e)
5b4b92fb 6681ff1d08      cmp     di,81Dh
5b4b9300 746c            je      triedit!GetHint+0xb3 (5b4b936e)
5b4b9302 6681ff0f08      cmp     di,80Fh
5b4b9307 7572            jne     triedit!GetHint+0xc0 (5b4b937b)
5b4b9309 8d5601          lea     edx,[esi+1]
5b4b930c 3b550c          cmp     edx,dword ptr [ebp+0Ch]
5b4b930f 734e            jae     triedit!GetHint+0xa4 (5b4b935f)
5b4b9311 0fb7447302      movzx   eax,word ptr [ebx+esi*2+2]    <<<<< ptrBuffer[ptrPos+1] !!! BUG: not validate this character, but use it in offset 0x5b
5b4b9316 66393c4590134c5b cmp     word ptr triedit!g_hintTable (5b4c1390)[eax*2],di

So, add one validation statement before use it. it is a common error :)

This issue occurs in OWA not installed KB911829