Loading an RSS/Atom feed inside an iframe and pressing F12 to open IE8 Developer Tools triggers an access violation in iedvtool!CDOMNodeContainer::LoadChildDocument+0x178. The crash reads from address 0x0000000c — a null pointer offset, classified as branch-selection control by !exploitable.

<iframe src="rss.xml" width="90%" height="100"></iframe>

Press F12 after the feed loads to trigger the crash. The fault occurs at iedvtool.dll version 8.00.7100.0 (IE8 RC). The ESI register is 0x0000000c — a result of adding 0x0Ch to a null pointer — and the subsequent mov eax,dword ptr [esi] faults. Tested on Win7/IE8 and XP/IE8.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.