The following bug was tested on the latest version of Safari on a fully-patched Mac OS X 10.4 (PPC) system. Safari will dereference and call a pointer from the heap if a script element, inside a div element, redefines the document body. Code execution is possible, but more time is required to develop a reliable exploit. This bug was discovered by Jose Avila III and Pusscat. Strangely enough, this bug does not affect KDE's Konqueror (tested 3.5.3).
Please see the demo source code for an example.
Warning: The following link may cause your browser to crash.Demonstration
Program received signal EXC_BAD_INSTRUCTION, Illegal instruction/operand.
(gdb) x/i $pc
0x4aeec58: .long 0x690074
#0 0x04aeec58 in ?? ()
#1 0x95c6f884 in KHTMLParser::popOneBlock ()
#2 0x95c43998 in KHTMLParser::freeBlock ()
#3 0x95cdff3c in KHTMLParser::finished ()
#4 0x95cdfe7c in khtml::HTMLTokenizer::end ()
#5 0x95c7ec8c in khtml::HTMLTokenizer::finish ()
#6 0x95d90358 in KHTMLPart::endIfNotLoading ()
0x95c6f8c4 <_ZN11KHTMLParser11popOneBlockEb+132>: lwz r2,0(r3)
0x95c6f8c8 <_ZN11KHTMLParser11popOneBlockEb+136>: lwz r12,268(r2)
0x95c6f8cc <_ZN11KHTMLParser11popOneBlockEb+140>: mtctr r12
0x95c6f8d0 <_ZN11KHTMLParser11popOneBlockEb+144>: bctrl
This bug will be added to the OSVDB:Apple Safari KHTMLParser::popOneBlock Code Execution