User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2) Gecko/20021126 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2) Gecko/20021126 Scripts like this one run indefinitely, locking up mozilla and leaving a phantom process on XP: <html><script> d=document; j=0; x='<br><scr'+'ipt>d.write(x);alert(j++);</scr'+'ipt>'; d.write(x); </script></html> Reproducible: Always Steps to Reproduce: Try this script, with or without alert. Similar effects can be created by abusing eval or setTimeout. <html><script> d=document; j=0; x='<br><scr'+'ipt>d.write(x);alert(j++);</scr'+'ipt>'; d.write(x); </script></html> Actual Results: Browser lockup. Phantom process running after browser closed. Likely buffer overflow. Expected Results: Ideally Mozilla would "kill the children" at some level. It looks like IE ignores dynamically generated scripts at the 4th generation. Note that similar rescrictions are needed to prevent mischief with eval and setTimeout.
Not a JS Engine issue; JS Engine contains no browser objects such as |document| nor HTML nodes such as <script>. This could be assigned either to DOM or to Security:General. Sending to DOM for further triage. Note this is the DOM equivalent of the Layout bug 136580, "Catch recursive content much sooner" Perhaps there is already a DOM bug on file for this issue, but I couldn't find it -
I can't reproduce this on CVS build on Linux. The scripts stops on j=997 and Mozilla is functioning as expected and can be closed fine. Only 1.2 or windows issue?
I've seen this before - it causes an infinite recursion, but I've seen no evidence that it's an exploitable buffer overrun.
Is there any explanation why this does not work on Linux?
Mass-reassigning bugs to email@example.com
*** Bug 214198 has been marked as a duplicate of this bug. ***
(In reply to comment #7) > Created an attachment (id=285864) [details] > testcase > > fixed by bug 197052 ? needs verification - reporter is gone