[Webkit-unassigned] [Bug 20299] DOMSubTreeModified event handler can cause 100% CPU use and stack exhaustion

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Aug 28 09:04:44 PDT 2008


berendjanwever at gmail.com changed:

           What    |Removed                     |Added
              Group|                            |Security-Sensitive

------- Comment #2 from berendjanwever at gmail.com  2008-08-28 09:04 PDT -------
The second example I provided actually ends up overwriting EIP with NULL in
WebKit nightly. Marking as security sensitive - control over EIP could lead to
arbitrary code execution. I have no proof that this can be used to overwrite
EIP with anything but NULL, but I can't prove that it's impossible.

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list