RESOLVED FIXED 19519
DOM modification causes stack exhaustion (BUTTON OBJECT COLGROUP) 
https://bugs.webkit.org/show_bug.cgi?id=19519
Summary DOM modification causes stack exhaustion (BUTTON OBJECT COLGROUP)
Berend-Jan Wever
Reported 2008-06-12 08:19:10 PDT
I found that the following javascript causes a stack exhaustion: <BODY onload="go()"><SCRIPT> function go() { oButton=document.createElement('button'); document.body.appendChild(oButton); oButton.outerHTML=''; oButton.innerHTML='<object>x<colGroup></colGroup></object>'; document.body.insertAdjacentElement('beforeBegin', oButton); } </SCRIPT></BODY> Tested with Safari 3.1.1. Marked as security, I'm not sure if you treat DoS as a security issue, so erring on the safe side. Stack exhaustion appears to be in WebKit!JSValueMakeNull. This may be the same bug as 19514 and/or 19515
Attachments
Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2008-06-12 21:17:57 PDT
We don't treat denial of service attacks as security issues (unless the bugs are exploitable for remote code execution), but reproducible crashes are P1. On a local debug build, I'm hitting an assertion: ASSERTION FAILED: beforeChild->parent()->isAnonymousBlock() 0 com.apple.WebCore 0x02b4b35d WebCore::RenderBlock::addChildToFlow(WebCore::RenderObject*, WebCore::RenderObject*) + 297 (RenderBlock.cpp:162) See also: bug 19220.
Mark Rowe (bdash)
Comment 2 2008-06-13 15:54:08 PDT
<rdar://problem/6007345>
mitz
Comment 3 2008-06-20 12:16:15 PDT
Fixed in <http://trac.webkit.org/changeset/34692>.
Kevin McCullough
Comment 4 2008-06-20 16:12:42 PDT
*** Bug 19515 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.