[webkit-dev] DOS in Safari/WebKit?

Maciej Stachowiak mjs at apple.com
Thu Dec 22 21:47:01 PST 2005

On Dec 22, 2005, at 6:48 PM, Kurt Kohler wrote:

> I haven't been following the chat room so I might have missed it, but
> I'm surprised there hasn't been any discussion here about the  
> "denial of
> service" bug reported at the following URL.
> http://www.security-protocols.com/advisory/sp-x22-advisory.txt
> I don't want to jump to conclusions, but we're talking about open  
> source
> software here. He could have fixed it himself or at least filed a
> Bugzilla report. As far as I can tell he did neither. He does claim to
> have reported it to Apple. Is it in radar perhaps?

It is in Radar.

I don't recall ever getting proof of the "execute arbitrary code"  
exploitability. We don't usually treat crashers as security bugs,  
because then every reproducible crash would count as a security  
exploit and that's not really reasonable given how many there are.

Can't comment on when/whether this will make it to a security update.

> I'll wait before I say what I think about this guy. I don't want to be
> slanderous without cause.
> BTW I saw a claim elsewhere that it had been fixed in the  
> nightlies, but
> it looks like as of a few minutes ago ensureRows in TOT still has the
> problem (it does a resize with a value that doesn't appear to be  
> checked
> against any limit).

We don't check against a hard limit but TOT will no longer crash or  
overwrite memory (try it). We now detect the allocation failure. But  
it might be good to also set a hard upper limit on rowspans.


More information about the webkit-dev mailing list