Bug 19515
| Summary: | DOM modification causes stack exhaustion (Caused by colGroup?) | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Berend-Jan Wever <skylined> |
| Component: | New Bugs | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | aroben, mitz |
| Priority: | P1 | Keywords: | InRadar, PlatformOnly |
| Version: | 525.x (Safari 3.1) | ||
| Hardware: | PC | ||
| OS: | Windows Vista | ||
| URL: | http://skypher.com/SkyLined/Repro/Safari/Stack%20exhaustion%20colGroup/repro.html | ||
Berend-Jan Wever
I found that the following javascript causes a stack exhaustion:
<BODY onload="go()"><SCRIPT>
var i=0;
function go() {
oColGroup=document.createElement('colGroup');
document.body.appendChild(oColGroup);
oComment=document.createElement('b');
document.body.insertAdjacentElement('afterBegin', oComment);
}
</SCRIPT></BODY>
Something tells me the colGroup is the culprit, but I have no way of backing that up.
Tested with Safari 3.1.1.
Marked as security, I'm not sure if you treat DoS as a security issue, so erring on the safe side.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Berend-Jan Wever
Changing priority and security flag
Mark Rowe (bdash)
<rdar://problem/6007110>
Adam Roben (:aroben)
Why is this bug marked PlatformOnly?
Kevin McCullough
*** This bug has been marked as a duplicate of 19519 ***