Closed Bug 68322 Opened 24 years ago Closed 24 years ago

Crasher & possible exploit in dispatchEvent

Categories

(Core :: DOM: UI Events & Focus Handling, defect)

Product:
Core
Component:
DOM: UI Events & Focus Handling
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 61022

People

(Reporter: security-bugs, Assigned: joki)

Details

Attachments

(2 files)

demonstration
410 bytes, text/html
Details
demonstration part 2
261 bytes, text/html
Details
I was looking for something other but discovered that dispatchEvent (???) may lead to jumping (setting EIP) or accessing strange memory locations. In all cases Mozilla crashes but with different exceptions. The memory location seems to depend on the events that are dispatched - I could not program them (because document.createEvent seems to be broken). After examining the registers/memory after several crashes I believe this should be fixed because it may become exploitable. Test the 2 attached html files for demos. Georgi Guninski
Attached file demonstration
Dupe but I'll look into the security aspect when I fix it. *** This bug has been marked as a duplicate of 61022 ***
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → DUPLICATE
QA contact updated
QA Contact: gerardok → madhur
Removing NS_Confidential flag.
Group: netscapeconfidential?
QA Contact: madhur → rakeshmishra
QA Contact: rakeshmishra → trix
Component: Event Handling → User events and focus handling
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: