304133 - Iframe inside an absolute positioned div crashes Browser

Status: VERIFIED WORKSFORME

(Firefox :: Security, defect)

Description

[Matias Muhonen]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

An iframe inside an absolute positioned parent div and a div serving as a 'close
button'. The 'close button' div must be also absolute positioned inside the
parent div.

Removing the parent div from document body causes a fatal crash if the iframe is
active. 

<body>

<div id="a" style="position:absolute">
 <iframe></iframe>
 <div style="position:absolute"
onmousemove="document.body.removeChild(document.getElementById('a'))">
       1. click iframe 2. move mouse here
 </div>
</div>

</body>


Reproducible: Always

Steps to Reproduce:
1. Open the attached document
2. Click the iframe in the document
3. Move cursor inside the "move mouse here" text

Actual Results:  
The browser crashes immediately

Expected Results:  
The div should be hided

Comment 1

[Jesse Ruderman]

No crash for me, Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US;
rv:1.8b4) Gecko/20050808 Firefox/1.0+

This doesn't sound like a security hole to me.  Some crashes are security holes,
such as buffer overflows or crashes that affect server software, but most aren't.

Comment 2

[Daniel Veditz [:dveditz]]

Crashes 1.0.6 but not Deer Park (trunk). The crash was executing address
0x00000000, which isn't a security issue that would cause a branch re-spin.

Comment 3

[William Bumgarner [:zsinj]]

<- VERI. v1.0.x is for security releases, and as per comment 2, this isn't a security issue.