Bug 19515

Summary: DOM modification causes stack exhaustion (Caused by colGroup?)
Product: WebKit Reporter: Berend-Jan Wever <skylined>
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: aroben, mitz
Priority: P1 Keywords: InRadar, PlatformOnly
Version: 525.x (Safari 3.1)   
Hardware: PC   
OS: Windows Vista   
URL: http://skypher.com/SkyLined/Repro/Safari/Stack%20exhaustion%20colGroup/repro.html

Description Berend-Jan Wever 2008-06-12 04:16:15 PDT 
I found that the following javascript causes a stack exhaustion:

<BODY onload="go()"><SCRIPT>
    var i=0;
    function go() {
        oColGroup=document.createElement('colGroup');
        document.body.appendChild(oColGroup);
        oComment=document.createElement('b');
        document.body.insertAdjacentElement('afterBegin', oComment);
    }
</SCRIPT></BODY>

Something tells me the colGroup is the culprit, but I have no way of backing that up.
Tested with Safari 3.1.1.

Marked as security, I'm not sure if you treat DoS as a security issue, so erring on the safe side.
Comment 1 Berend-Jan Wever 2008-06-13 06:29:07 PDT 
Changing priority and security flag
Comment 2 Mark Rowe (bdash) 2008-06-13 14:52:34 PDT 
<rdar://problem/6007110>
Comment 3 Adam Roben (:aroben) 2008-06-14 08:51:20 PDT 
Why is this bug marked PlatformOnly?
Comment 4 Kevin McCullough 2008-06-20 16:12:42 PDT 

*** This bug has been marked as a duplicate of 19519 ***