19515 – DOM modification causes stack exhaustion (Caused by colGroup?)

Bug 19515 - DOM modification causes stack exhaustion (Caused by colGroup?)

Summary: DOM modification causes stack exhaustion (Caused by colGroup?)

Status:	RESOLVED DUPLICATE of bug 19519

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	525.x (Safari 3.1)
Hardware:	PC Windows Vista

Importance:	P1 Normal
Assignee:	Nobody

URL:	http://skypher.com/SkyLined/Repro/Saf...
Keywords:	InRadar, PlatformOnly

Depends on:
Blocks:

Reported:	2008-06-12 04:16 PDT by Berend-Jan Wever
Modified:	2008-06-20 16:46 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Berend-Jan Wever 2008-06-12 04:16:15 PDT

I found that the following javascript causes a stack exhaustion:

<BODY onload="go()"><SCRIPT>
    var i=0;
    function go() {
        oColGroup=document.createElement('colGroup');
        document.body.appendChild(oColGroup);
        oComment=document.createElement('b');
        document.body.insertAdjacentElement('afterBegin', oComment);
    }
</SCRIPT></BODY>

Something tells me the colGroup is the culprit, but I have no way of backing that up.
Tested with Safari 3.1.1.

Marked as security, I'm not sure if you treat DoS as a security issue, so erring on the safe side.

Comment 1 Berend-Jan Wever 2008-06-13 06:29:07 PDT

Changing priority and security flag

Comment 2 Mark Rowe (bdash) 2008-06-13 14:52:34 PDT

<rdar://problem/6007110>

Comment 3 Adam Roben (:aroben) 2008-06-14 08:51:20 PDT

Why is this bug marked PlatformOnly?

Comment 4 Kevin McCullough 2008-06-20 16:12:42 PDT


*** This bug has been marked as a duplicate of 19519 ***