Vulnerability Development mailing list archives
Re: More Browser on Macosx flaws: nested array sort() loop Stack overflow exception
From: Valdis.Kletnieks () vt edu
Date: Thu, 02 Dec 2004 14:46:06 -0500
On Fri, 26 Nov 2004 18:56:01 +0200, Alex R said:
Anyone know why so many browsers are affected?
Well... let's look at it..
<SCRIPT> a = new Array(); while (1) { (a = new Array(a)).sort(); } </SCRIPT>
That's the moral equivalent of: main() { while (1) {malloc(lots);} } and it's *tricky* to actually trap this one correctly. The problem is that when you do the new() that overflows the stack, you can probably catch the error - but then you get to try to clean up the mess without making any more function calls that grow the stack and/or malloc more. Now consider that C++ seems to be the popular language for doing browsers - and C++ has these things called constructors and destructors.... ;) (Of course, the *other* possibility is to roll the stack back by hand to some reasonable recovery point. This is fun enough in C ('man longjmp' ;), and another ugly mess for C++)....
Attachment:
_bin
Description:
Current thread:
- Re: More Browser on Macosx flaws: nested array sort() loop Stack overflow exception Valdis . Kletnieks (Dec 02)