Bug 23550 - Browser eats can up all available memory and then crashs
Summary: Browser eats can up all available memory and then crashs
Status: RESOLVED DUPLICATE of bug 23319
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-01-26 13:57 PST by Yael
Modified: 2009-01-30 04:39 PST (History)
2 users (show)

See Also:


Attachments
Limit the length of select element that can be set from javascript (3.78 KB, patch)
2009-01-26 13:59 PST, Yael
mrowe: review-
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Yael 2009-01-26 13:57:39 PST
Browser would eat up all the available memory in the system and crash when it processes this simple javascript:

e = document.createElement("select");

e.length=2147483647;
Comment 1 Yael 2009-01-26 13:59:56 PST
Created attachment 27044 [details]
Limit the length of select element that can be set from javascript
Comment 2 Mark Rowe (bdash) 2009-01-26 17:48:11 PST
Where did the limit of 1000 come from?  What maximum size do Firefox and IE allow?
Comment 3 Yael 2009-01-26 18:11:04 PST
(In reply to comment #2)
> Where did the limit of 1000 come from?  What maximum size do Firefox and IE
> allow?
> 

The 1000 limit is a guess, it could change if it breaks web sites.

IE and Opera do not have a limit. They eat up all the available memory and then crash.
FireFox does not support setting the length on HTMLSelectElemet and throws a NOT_SUPPORTED_ERR exception. This behavior is based on the spec in http://www.w3.org/TR/DOM-Level-2-HTML/html.html#ID-94282980. 

I thought that we still want to be compatible with IE and Opera, hence the limit.

Comment 4 Yael 2009-01-27 05:55:59 PST
I should mention that this bug was found by Thierry Zoller. http://secdev.zoller.lu/
Comment 5 Sam Weinig 2009-01-27 07:45:19 PST

*** This bug has been marked as a duplicate of 23319 ***
Comment 6 black0ut 2009-01-27 09:56:48 PST
Dear Yael,
You have been sent the POC to treat responsibly, not to submit it to vendors and not give credit for my discovery.

That said, Nokia devices are affected to, how are you proceeding I have tested a few of your devices.
Comment 7 black0ut 2009-01-27 10:08:33 PST
Dear Yael,
Sorry I have missed comment #4 - However please notify me before contacting vendors, I am currently coordinating disclosure and you just posted the POC as an open bug report
Comment 8 Mark Rowe (bdash) 2009-01-30 04:39:30 PST
Comment on attachment 27044 [details]
Limit the length of select element that can be set from javascript

Clearing review flag since the bug has been closed.