MoBB #14: Konqueror replaceChild()
The following bug was tested on KDE 3.5.1 on a current Gentoo Linux system. Calling the replaceChild() method on almost any DOM element can result in a NULL dereference.
document.replaceChild(0);
Demonstration
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1231504512 (LWP 11418)]
0xb6552ca0 in DOM::Node::replaceChild () from /usr/kde/3.5/lib/libkhtml.so.4
(gdb) display /i $pc
1: x/i $pc 0xb6552ca0 <_ZN3DOM4Node12replaceChildERKS0_S2_+110>: testb $0x8,0x22(%edx)
(gdb) i r $edx
edx 0x0 0
This bug will be added to the OSVDB:
KDE Konqueror replaceChild() NULL Dereference
posted by hdm @ 12:19 AM
16 comments
links to this post
16 Comments:
Did you mention it to them?
In their bug filing database?
http://bugs.kde.org/
It's already fixed.
http://websvn.kde.org/?rev=562182&view=rev.
hdm can you tell us how many bugs that you have of each of the top 4 browsers ie/firefox/safari/opera/ on a fully patched os
Not yet. Still finishing up a few tools, I don't know the final bug count yet :-)
is this site only about crashes?
of cause crash are important (kind of)
but "stupid" browser bug would be funnier
like var a = 2+2 and it would say a is 3
I dont know any bug like that
but it would be funny =)
Crashes, code execution, file access, generally security related browser issues :-)
do you have any ie7 exploits?
It doesn't crash Safari, which is based on Konqueror.
"It doesn't crash Safari, which is based on Konqueror."
Safari & Konqueror both utilise KHTML afaik, apart from that it's understandable that they'd use different elements in their construction, hence you cannot expect Konqueror bugs to affect Safari, and vice-versa (Check out the Safari bug from earlier on in the month, doesn't do diddly squat on Konqueror :) )
And most importantly, i'm not biting your head off, just correcting. I don't like it that the correction's this long, but... well, meh!
Anyway, keep up the good work hdm! This is not only amusing but valuable information :)
hdm ever thought of a YoBB? LOL, You really should keep this going
Still works in KDE 3.5.3 (last released version - and there probably won't be another release for quite a while).
Mind you, it's not as though Konqueror suffers from a shortage of crash bugs - it's the more serious security holes
that it's short on...
Actually, this isn't as bad as the last Konqueror crash bug I heard of (which I saw on their Bugzilla) - it looks easy to fix, and it's unlikely that some website will accidentally trigger it.
I think you should strive to post only bugs affecting the latest release.
I can not reproduce the crash with KDE3.5.3
i use KDE 3.5.3 and the bug crashes my Konqueror 3.5.3.
does the KDEteam know this bug?
https://bugs.kde.org/show_bug.cgi?id=130819
Also doesn't work with Konqueror/KDE 3.3.2
Mandriva Linux updated their packages.
Post a Comment
Links to this post:
Create a Link
<< Home