If you're interested in researching the vulnerability (using this PoC), breakpoint MSHTML!CImgElement::CImgElement, then run until MSHTML!CTreeNode::CTreeNode is hit -- this tree node is freed during MSHTML!CImgHelper::Fire_onerror, but is later accessed during MSHTML!CEventObj::get_srcElement.
Breakpoint 0 hit eax=002033d0 ebx=001ae3bc ecx=002033d0 edx=00000034 esi=001ae308 edi=0022ffe8 eip=3e553f4e esp=019dfb9c ebp=019dfba8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CImgElement::CImgElement: 3e553f4e 8bff mov edi,edi