Last Comment Bug 382700 - Unsafe DOM mutation events in object frame.
: Unsafe DOM mutation events in object frame.
Status: RESOLVED FIXED
[sg:dupe 382681] keep private until 3...
: crash, fixed1.8.1.5, testcase, verified1.8.0.13
Product: Core
Classification: Components
Component: DOM: Events (show other bugs)
: 1.8 Branch
: x86 All
: -- critical (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
: Andrew Overholt [:overholt]
Mentors:
Depends on: 382681
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-31 15:45 PDT by Vlad Sukhoy
Modified: 2012-12-03 22:03 PST (History)
11 users (show)
dveditz: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
the test case: crashes MacOS 1_8 branch, makes Windows 1_8 branch unresponsive. (1.53 KB, application/xhtml+xml)
2007-05-31 15:45 PDT, Vlad Sukhoy
no flags Details

Description Vlad Sukhoy 2007-05-31 15:45:56 PDT
Created attachment 266816 [details]
the test case: crashes MacOS 1_8 branch, makes Windows 1_8 branch unresponsive.

Using DOM mutation events it is possible to crash the browser or make the UI unresponsive.
Comment 1 Vlad Sukhoy 2007-05-31 16:00:05 PDT
See also bug 382568, bug 382681, bug 382700, bug 355548;
Here it is nsObjectFrame::CreateDefaultFrames that is vulnerable (does child manipulations which fire events and the JavaScript being invoked in the middle of frame code may do some damage).
Comment 2 Olli Pettay [:smaug] 2007-06-25 00:43:24 PDT
Fixed by the patch in bug 382681.
Comment 3 Stephen Donner [:stephend] 2007-08-21 16:10:11 PDT
No hang or crash using Thunderbird version 1.5.0.13 (20070809) with JS enabled.  Replacing fixed1.5.0.13 keyword with verified1.5.0.13.

Note You need to log in before you can comment on or make changes to this bug.