forwarded 336171 http://bugzilla.mozilla.org/show_bug.cgi?id=303433 close 336171 1.4.99+1.5beta2.dfsg-1 thanks
On Tue, Nov 22, 2005 at 01:24:59PM +0000, Stephen Gran <[EMAIL PROTECTED]> wrote: > This one time, at band camp, Mike Hommey said: > > On Tue, Nov 22, 2005 at 12:41:21PM +0000, Stephen Gran > > <[EMAIL PROTECTED]> wrote: > > > This one time, at band camp, Mike Hommey said: > > > > Until it is proven to be exploitable, this can't be critical. > > > > > > Did you look at the link included? There is a proof of concept > > > exploit on the page under the 'exploit' tab. > > > > Yes, it does crash the browser. No it is not a security breach that > > can be exploited to, for example, run arbitrary code or such. > > So this is a failed memory allocation or null pointer dereference, > rather than the integer overflow that it sounds like? I admit, I have > not looked at the IFRAME handling code, so I'm just curious. If it is > an integer overflow, then the ability to execute arbitrary code is > there. If it's a crash due to an uncaught memory allocation failure or > something, then you are right, and this is merely important. > > Take care, It is a stack overflow, but not a stack buffer overflow, so it's basically not exploitable. It also appears to have been fixed in Deer Park 1.5beta 2. Tagging accordingly. Cheers Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
