Bug 19519
| Summary: | DOM modification causes stack exhaustion (BUTTON OBJECT COLGROUP) | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Berend-Jan Wever <skylined> |
| Component: | Layout and Rendering | Assignee: | mitz |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | ap |
| Priority: | P1 | Keywords: | InRadar |
| Version: | 525.x (Safari 3.1) | ||
| Hardware: | All | ||
| OS: | All | ||
| URL: | http://skypher.com/SkyLined/Repro/Safari/Stack%20exhaustion%20BUTTON%20OBJECT%20COLGROUP/repro.html | ||
Berend-Jan Wever
I found that the following javascript causes a stack exhaustion:
<BODY onload="go()"><SCRIPT>
function go() {
oButton=document.createElement('button');
document.body.appendChild(oButton);
oButton.outerHTML='';
oButton.innerHTML='<object>x<colGroup></colGroup></object>';
document.body.insertAdjacentElement('beforeBegin', oButton);
}
</SCRIPT></BODY>
Tested with Safari 3.1.1.
Marked as security, I'm not sure if you treat DoS as a security issue, so
erring on the safe side.
Stack exhaustion appears to be in WebKit!JSValueMakeNull. This may be the same bug as 19514 and/or 19515
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Alexey Proskuryakov
We don't treat denial of service attacks as security issues (unless the bugs are exploitable for remote code execution), but reproducible crashes are P1.
On a local debug build, I'm hitting an assertion:
ASSERTION FAILED: beforeChild->parent()->isAnonymousBlock()
0 com.apple.WebCore 0x02b4b35d WebCore::RenderBlock::addChildToFlow(WebCore::RenderObject*, WebCore::RenderObject*) + 297 (RenderBlock.cpp:162)
See also: bug 19220.
Mark Rowe (bdash)
<rdar://problem/6007345>
mitz
Fixed in <http://trac.webkit.org/changeset/34692>.
Kevin McCullough
*** Bug 19515 has been marked as a duplicate of this bug. ***