User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3) Gecko/2008102920 Ubuntu/8.04 Firefox/3.0.4 Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.10) Gecko/2009052614 Gentoo Mart Raudsepp reported that the reproducer for CVE-2009-1233 (which affects Apple Safari) also crashes Firefox. CVE-2009-1233 states: Apple Safari 3.2.2 and 4 Beta on Windows allows remote attackers to cause a denial of service (application crash) via an XML document containing many nested A elements. Quoting Mart: Backtrace seems to be corrupted, and the interesting thread has only this (there are 8 worker threads that are uninteresting and sitting in conditional wait): (gdb) bt full #0 nsCSSRuleProcessor::GetRuleCascade (this=0x318f370, aPresContext=0x27010e0) at nsCSSRuleProcessor.cpp:2176 cascadep = (RuleCascadeData **) Cannot access memory at address 0x7fff14385ee8 Reproducible: Always Steps to Reproduce: 1. Download python code 2. start webserver 3. visit website Actual Results: crash Expected Results: no crash Gentoo is tracking this as https://bugs.gentoo.org/show_bug.cgi?id=275948

Where is the testcase used to reproduce the crash?

In the URL field, at http://www.milw0rm.com/exploits/8325

Related to bug 456954 or bug 323394?

> Related to bug 456954 or bug 323394? Yes. And to the other bug peterv was looking into recently that was posted to milw0rm. This should probably not be security-sensitive; it's a stack overflow leading to immediate unexploitable crash when trying to push yet another stack frame.

We should probably have a tracker for the various stack overflow bugs, and at least dup all the "xml parser allows arbitrary depth nesting" bugs together.