To help narrow this down, the "h" is irrelevant.
The following ...
data://</<
data://</>
... will crash it just fine.
Other permutations don't cause issues, such as:
data://<<
data://<>
Thus it seems that misplaced "/" chars make for problems.
--Ben
On Sep 29, 2005, at 11:51 AM, Boyd Waters wrote:
From bugtraq, I had not seen this before.
Basically, entering a URL of data://<h>/ will crash Safari?
Is this a bug on bugzilla? I cannot find such with a brief search...
~ boyd
Begin forwarded message:
From: Jonathan Rockway <[EMAIL PROTECTED]>
To: [email protected]
Subject: Possible memory corruption problems in Apple Safari
Date: Fri, 16 Sep 2005 22:07:34 -0500
Message-ID: <[EMAIL PROTECTED]>
User-Agent: Mutt/1.5.7i
Hello,
I was playing around with Safari the other day and noticed that it
crashes solid if you convince it to visit:
data://<h1>crash</h1>
Typing it into the address bar is sufficient for testing and crashes
the browser completely. I loaded up Safari in gdb to see where it
crashes and got the following result:
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x076fffff
[Switching to process 266 thread 0x6403]
0xffff8ce4 in ___memcpy ()
The fact that random data from the Internet is causing problems with
memcpy worries me. I haven't figured out how to change the arguments
to memcpy, but it seems possible. Hopefully someone that knows more
about debugging threaded Objective-C programs running on PPC can
look into it. I'm more of a simple x86/C person myself :)
Just for reference, it seems that Safari needs a very specific set of
inputs to actually crash:
data://<h>/ doesn't crash
but
data://<h>/< does
(also data://<crash>test</crash> doesn't crash... the h in <h1> seems
important somehow).
Regards (and good luck),
Jonathan Rockway
------- end -------
_______________________________________________
webkit-dev mailing list
[email protected]
http://www.opendarwin.org/mailman/listinfo/webkit-dev
_______________________________________________
webkit-dev mailing list
[email protected]
http://www.opendarwin.org/mailman/listinfo/webkit-dev
