[Webkit-unassigned] [Bug 10785] New: Safari(417.9.3) crashes on .innerhtml, if the script element, inside a div element, redefines the document body.

Fri Sep 8 07:06:01 PDT 2006

http://bugzilla.opendarwin.org/show_bug.cgi?id=10785

           Summary: Safari(417.9.3) crashes on .innerhtml, if the script
                    element, inside a div element, redefines the document
                    body.
           Product: WebKit
           Version: 417.x
          Platform: Macintosh
               URL: http://metasploit.com/users/hdm/tools/browserfun/mobb_03
                    1.html
        OS/Version: Mac OS X 10.4
            Status: NEW
          Severity: normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at opendarwin.org
        ReportedBy: zbujtas at gmail.com

the following html code crashes the parser:
<html><body><div><div><script>document.body.innerHTML =
'!';</script></div></div></body></html>

When the .innerHtml redefines the body, both div nodes are detached from the
document tree. The outer div gets destroyed while the inner div is not as it is
still referenced by the html stack (HTMLParser::setCurrent()). When the parser
reaches the closing tag of the outer div, HTMLParser::popOneBlock() crashes as
it tries to access the invalid (already deleted) outer div node.

see the original report http://www.frsirt.com/english/advisories/2006/3069

-- 
Configure bugmail: http://bugzilla.opendarwin.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.