Bug 23550

Summary: Browser eats can up all available memory and then crashs
Product: WebKit Reporter: Yael <yael>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: mrowe, thierry
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Limit the length of select element that can be set from javascript mrowe: review-

Yael
Reported 2009-01-26 13:57:39 PST
Browser would eat up all the available memory in the system and crash when it processes this simple javascript: e = document.createElement("select"); e.length=2147483647;
Attachments
Limit the length of select element that can be set from javascript (3.78 KB, patch)
2009-01-26 13:59 PST, Yael 		mrowe: review-
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Yael
Comment 1 2009-01-26 13:59:56 PST
Created attachment 27044 [details] Limit the length of select element that can be set from javascript
Mark Rowe (bdash)
Comment 2 2009-01-26 17:48:11 PST
Where did the limit of 1000 come from? What maximum size do Firefox and IE allow?
Yael
Comment 3 2009-01-26 18:11:04 PST
(In reply to comment #2) > Where did the limit of 1000 come from? What maximum size do Firefox and IE > allow? > The 1000 limit is a guess, it could change if it breaks web sites. IE and Opera do not have a limit. They eat up all the available memory and then crash. FireFox does not support setting the length on HTMLSelectElemet and throws a NOT_SUPPORTED_ERR exception. This behavior is based on the spec in http://www.w3.org/TR/DOM-Level-2-HTML/html.html#ID-94282980. I thought that we still want to be compatible with IE and Opera, hence the limit.
Yael
Comment 4 2009-01-27 05:55:59 PST
I should mention that this bug was found by Thierry Zoller. http://secdev.zoller.lu/
Sam Weinig
Comment 5 2009-01-27 07:45:19 PST
*** This bug has been marked as a duplicate of 23319 ***
black0ut
Comment 6 2009-01-27 09:56:48 PST
Dear Yael, You have been sent the POC to treat responsibly, not to submit it to vendors and not give credit for my discovery. That said, Nokia devices are affected to, how are you proceeding I have tested a few of your devices.
black0ut
Comment 7 2009-01-27 10:08:33 PST
Dear Yael, Sorry I have missed comment #4 - However please notify me before contacting vendors, I am currently coordinating disclosure and you just posted the POC as an open bug report
Mark Rowe (bdash)
Comment 8 2009-01-30 04:39:30 PST
Comment on attachment 27044 [details] Limit the length of select element that can be set from javascript Clearing review flag since the bug has been closed.
Note You need to log in before you can comment on or make changes to this bug.