Bug 19519 - DOM modification causes stack exhaustion (BUTTON OBJECT COLGROUP)
Summary: DOM modification causes stack exhaustion (BUTTON OBJECT COLGROUP)
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: 525.x (Safari 3.1)
Hardware: All All
: P1 Normal
Assignee: mitz
URL: http://skypher.com/SkyLined/Repro/Saf...
Keywords: InRadar
: 19515 (view as bug list)
Depends on:
Reported: 2008-06-12 08:19 PDT by Berend-Jan Wever
Modified: 2008-06-20 16:12 PDT (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Berend-Jan Wever 2008-06-12 08:19:10 PDT
I found that the following javascript causes a stack exhaustion:

<BODY onload="go()"><SCRIPT>
    function go() {
		document.body.insertAdjacentElement('beforeBegin', oButton);

Tested with Safari 3.1.1.

Marked as security, I'm not sure if you treat DoS as a security issue, so
erring on the safe side.

Stack exhaustion appears to be in WebKit!JSValueMakeNull. This may be the same bug as 19514 and/or 19515
Comment 1 Alexey Proskuryakov 2008-06-12 21:17:57 PDT
We don't treat denial of service attacks as security issues (unless the bugs are exploitable for remote code execution), but reproducible crashes are P1.

On a local debug build, I'm hitting an assertion:
ASSERTION FAILED: beforeChild->parent()->isAnonymousBlock()
0   com.apple.WebCore             	0x02b4b35d WebCore::RenderBlock::addChildToFlow(WebCore::RenderObject*, WebCore::RenderObject*) + 297 (RenderBlock.cpp:162)

See also: bug 19220.
Comment 2 Mark Rowe (bdash) 2008-06-13 15:54:08 PDT
Comment 3 mitz 2008-06-20 12:16:15 PDT
Fixed in <http://trac.webkit.org/changeset/34692>.
Comment 4 Kevin McCullough 2008-06-20 16:12:42 PDT
*** Bug 19515 has been marked as a duplicate of this bug. ***