Unsafe DOM mutation events in object frame.

RESOLVED FIXED

Status

()

Core
DOM: Events
--
critical
RESOLVED FIXED
10 years ago
4 years ago

People

(Reporter: Vlad Sukhoy, Unassigned)

Tracking

(4 keywords)

1.8 Branch
x86
All
crash, fixed1.8.1.5, testcase, verified1.8.0.13
Points:
---
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dupe 382681] keep private until 355548 is fixed)

Attachments

(1 attachment)

(Reporter)

Description

10 years ago
Created attachment 266816 [details]
the test case: crashes MacOS 1_8 branch, makes Windows 1_8 branch unresponsive.

Using DOM mutation events it is possible to crash the browser or make the UI unresponsive.
(Reporter)

Comment 1

10 years ago
See also bug 382568, bug 382681, bug 382700, bug 355548;
Here it is nsObjectFrame::CreateDefaultFrames that is vulnerable (does child manipulations which fire events and the JavaScript being invoked in the middle of frame code may do some damage).
(Reporter)

Updated

10 years ago
Blocks: 382754

Updated

10 years ago
Depends on: 382681
(Reporter)

Updated

10 years ago
No longer blocks: 382754

Comment 2

10 years ago
Fixed by the patch in bug 382681.
Keywords: fixed1.8.0.13, fixed1.8.0.5

Updated

10 years ago
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED

Updated

10 years ago
Keywords: fixed1.8.0.5 → fixed1.8.1.5
Whiteboard: [sg:dupe 382681]
No hang or crash using Thunderbird version 1.5.0.13 (20070809) with JS enabled.  Replacing fixed1.5.0.13 keyword with verified1.5.0.13.
Keywords: fixed1.8.0.13 → verified1.8.0.13
Flags: in-testsuite?
Whiteboard: [sg:dupe 382681] → [sg:dupe 382681] keep private until 355548 is fixed
Group: core-security
You need to log in before you can comment on or make changes to this bug.