Apple Mac OS X是苹果家族电脑所使用的操作系统。 Mac OS X的KHTML解析器中存在拒绝服务漏洞。 在运行特制的.html文件时,khtml::RenderTableSection::ensureRows没有正确的解析数据,导致崩溃。KTHML解析器试图将内部数组的大小调整为rowspan值所显示的单元数。如果这个值很大的话,就无法调整数组,应用程序就会终止。 下面显示的是gdb中OS X 10.4.3上使用Safari所触发的崩溃: Program received signal SIGABRT, Aborted. 0x9004716c in kill () (gdb) bt #0 0x9004716c in kill () #1 0x90128b98 in abort () #2 0x95dcd974 in khtml::sYSMALLOc () <(=-- Is called because of sYSMALLOc(1234567890) #3 0x95dce1a4 in khtml::main_thread_realloc () #4 0x95bc0d64 in KWQArrayImpl::resize () #5 0x95c05428 in khtml::RenderTableSection::ensureRows () #6 0x95c0784c in khtml::RenderTableSection::addCell () #7 0x95c076ac in khtml::RenderTableRow::addChild () #8 0x95bcb2d8 in DOM::NodeImpl::createRendererIfNeeded () #9 0x95bcb1c4 in DOM::ElementImpl::attach () #10 0x95bca254 in KHTMLParser::insertNode () #11 0x95bcadd8 in KHTMLParser::insertNode () #12 0x95bcadd8 in KHTMLParser::insertNode () #13 0x95bc83fc in KHTMLParser::parseToken () #14 0x95bc54a4 in...
Apple Mac OS X是苹果家族电脑所使用的操作系统。 Mac OS X的KHTML解析器中存在拒绝服务漏洞。 在运行特制的.html文件时,khtml::RenderTableSection::ensureRows没有正确的解析数据,导致崩溃。KTHML解析器试图将内部数组的大小调整为rowspan值所显示的单元数。如果这个值很大的话,就无法调整数组,应用程序就会终止。 下面显示的是gdb中OS X 10.4.3上使用Safari所触发的崩溃: Program received signal SIGABRT, Aborted. 0x9004716c in kill () (gdb) bt #0 0x9004716c in kill () #1 0x90128b98 in abort () #2 0x95dcd974 in khtml::sYSMALLOc () <(=-- Is called because of sYSMALLOc(1234567890) #3 0x95dce1a4 in khtml::main_thread_realloc () #4 0x95bc0d64 in KWQArrayImpl::resize () #5 0x95c05428 in khtml::RenderTableSection::ensureRows () #6 0x95c0784c in khtml::RenderTableSection::addCell () #7 0x95c076ac in khtml::RenderTableRow::addChild () #8 0x95bcb2d8 in DOM::NodeImpl::createRendererIfNeeded () #9 0x95bcb1c4 in DOM::ElementImpl::attach () #10 0x95bca254 in KHTMLParser::insertNode () #11 0x95bcadd8 in KHTMLParser::insertNode () #12 0x95bcadd8 in KHTMLParser::insertNode () #13 0x95bc83fc in KHTMLParser::parseToken () #14 0x95bc54a4 in khtml::HTMLTokenizer::processToken () #15 0x95bc6e08 in khtml::HTMLTokenizer::parseTag () #16 0x95bc4d24 in khtml::HTMLTokenizer::write () #17 0x95bc038c in KHTMLPart::write () #18 0x959b510c in -[WebDataSource(WebPrivate) _commitLoadWithData:] () #19 0x9598165c in -[WebMainResourceClient addData:] () #20 0x95981588 in -[WebBaseResourceHandleDelegate didReceiveData:lengthReceived:] () #21 0x959db930 in -[WebMainResourceClient didReceiveData:lengthReceived:] () #22 0x95981524 in -[WebBaseResourceHandleDelegate connection:didReceiveData:lengthReceived:] () #23 0x92910a64 in -[NSURLConnection(NSURLConnectionInternal) _sendDidReceiveDataCallback] () #24 0x9290ef04 in -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] () #25 0x9290eca0 in _sendCallbacks () #26 0x9075db20 in __CFRunLoopDoSources0 () #27 0x9075cf98 in __CFRunLoopRun () #28 0x9075ca18 in CFRunLoopRunSpecific () #29 0x931861e0 in RunCurrentEventLoopInMode () #30 0x931857ec in ReceiveNextEventCommon () #31 0x931856e0 in BlockUntilNextEventMatchingListInMode () #32 0x93683904 in _DPSNextEvent () #33 0x936835c8 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] () #34 0x00007910 in ?? () #35 0x9367fb0c in -[NSApplication run] () #36 0x93770618 in NSApplicationMain () #37 0x0000307c in ?? () #38 0x00057758 in ?? ()
