innerHTML allocation size overflow crashes some browsers

[Susam Pal <susam.pal () gmail com>]

If we try to consume more memory than available by constructing a long
string, most browsers seem to handle this gracefully. For example,
Firefox logs an "allocation size overflow" error in the JavaScript
console for the following code:

var a = 'a'
for (var i = 0; i < 100; i++) {
    a += a
}

Example web page: http://susam.in/lab/allocation-size-overflow/var/

However, if we try to do a similar thing with the innerHTML property
of an HTML element, some browsers crash. For me, Firefox 5.0 on
Windows XP crashed for the following code but Iceweasel 6.0 on Debian
(Wheezy) and Chrome 13 on Windows as well as Chrome 12 on Debian
didn't. For some of my friends, Chrome crashed but Firefox didn't.

var a = document.getElementById('foo') // There is a div element with
id="foo" present in the page.
for (i = 0; i < 100; i++) {
    a.innerHTML += a.innerHTML;
}

Example web page:
http://susam.in/lab/allocation-size-overflow/innerhtml/ (This might
crash your browser.)

Susam Pal
http://blog.susam.in/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/