[Webkit-unassigned] [Bug 29873] New: Use after free in XHR and/or JS error handler
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Sep 29 07:49:34 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=29873
Summary: Use after free in XHR and/or JS error handler
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Windows Vista
Status: NEW
Keywords: GoogleBug
Severity: Critical
Priority: P1
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: skylined at chromium.org
I can't figure out what is causing this exactly, so I am only speculating here.
I have a working repro, so hopefully you should be able to figure out what's
going on for yourself.
It seems that if I am making XHR requests and one of them is to an "invalid"
url (eg. "http://does not work" with spaces in it), this causes the send()
method to throw an exception (this is not true for other browser btw.) When I
catch the exception and wait for a bit, for instance by showing an alert(),
some resource gets freed and can be re-used later. This should be exploitable.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list