Hello again, This is a pretty interesting bug, actually, although I had no time to analyze it in great detail... If STYLE="" parameter is encountered when parsing a tag (or just any other STYLE value that is semantically empty, that is consists of whitespaces and comments alone), Firefox CSS parser will apparently attempt to utilize the contents of a previous, already deallocated buffer and interpret this as a syntax element instead. See bug URL for demo. Using (and possibly freeing again) deallocated memory is obviously bad for security, and may easily lead to serious problems. Another aspect of the problem is that the behavior persists across windows and domains, which possibly may lead to cross-site scripting or other cross-site disruptions if the target page contains STYLE="" parameter (this is not considered a malicious parameter by many HTML filters).
This looks like a duplicate of bug 389685. What leads you to think that it's using "deallocated memory"?
Component: Security → Style System (CSS)
Product: Firefox → Core
QA Contact: firefox → style-system
Version: 2.0 Branch → Trunk
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 389685
You need to log in before you can comment on or make changes to this bug.