[Webkit-unassigned] [Bug 20299] DOMSubTreeModified event handler can cause 100% CPU use and stack exhaustion
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Aug 28 09:04:44 PDT 2008
https://bugs.webkit.org/show_bug.cgi?id=20299
berendjanwever at gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Group| |Security-Sensitive
------- Comment #2 from berendjanwever at gmail.com 2008-08-28 09:04 PDT -------
The second example I provided actually ends up overwriting EIP with NULL in
WebKit nightly. Marking as security sensitive - control over EIP could lead to
arbitrary code execution. I have no proof that this can be used to overwrite
EIP with anything but NULL, but I can't prove that it's impossible.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list