xxxx@xxxxxxxxx wrote: > When you have a NULL pointer dereference a code execution is also possible, so you can't exclude it at all. > For example in this old flaw: > http://securitytracker.com/alerts/2006/Apr/1016001.html In that example there was a way to influence the crash so that it was not null. The Metasploit blog previously reported on a way to use a null dereference crash to trigger a vulnerability in the windows SEH to run code (since fixed, and not exploitable via Firefox as far as anyone can tell). Neither of those conditions apply here, it's just a null dereference. In a debug build you get ###!!! ASSERTION: Parsing didn't create a parser context?: 'mParserContext', file c:/dev/ff2/mozilla/parser/htmlparser/src/nsParser.cpp, line 1882 This bug appears to have been fixed in the code that will become Firefox 3. This crash is being tracked at https://bugzilla.mozilla.org/show_bug.cgi?id=358797
