Iframe inside an absolute positioned div crashes Browser

VERIFIED WORKSFORME

Status

()

Firefox
Security
--
critical
VERIFIED WORKSFORME
13 years ago
13 years ago

People

(Reporter: Matias Muhonen, Unassigned)

Tracking

({crash})

1.0 Branch
x86
Windows XP
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: DUPEME?, URL)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

An iframe inside an absolute positioned parent div and a div serving as a 'close
button'. The 'close button' div must be also absolute positioned inside the
parent div.

Removing the parent div from document body causes a fatal crash if the iframe is
active. 

<body>

<div id="a" style="position:absolute">
 <iframe></iframe>
 <div style="position:absolute"
onmousemove="document.body.removeChild(document.getElementById('a'))">
       1. click iframe 2. move mouse here
 </div>
</div>

</body>


Reproducible: Always

Steps to Reproduce:
1. Open the attached document
2. Click the iframe in the document
3. Move cursor inside the "move mouse here" text

Actual Results:  
The browser crashes immediately

Expected Results:  
The div should be hided

Comment 1

13 years ago
No crash for me, Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US;
rv:1.8b4) Gecko/20050808 Firefox/1.0+

This doesn't sound like a security hole to me.  Some crashes are security holes,
such as buffer overflows or crashes that affect server software, but most aren't.
Group: security
Keywords: crash
Crashes 1.0.6 but not Deer Park (trunk). The crash was executing address
0x00000000, which isn't a security issue that would cause a branch re-spin.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → WORKSFORME
Whiteboard: DUPEME?
Version: unspecified → 1.0 Branch
<- VERI. v1.0.x is for security releases, and as per comment 2, this isn't a security issue.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.