Fwd: Re: Buffer Overflow with all versions of Internet Explorer and Javacript.

[Koos Vriezen]

On Wed, 5 Jun 2002, Harri Porten wrote:
> On Tue, 4 Jun 2002, Koos Vriezen wrote:
> > On Tue, 4 Jun 2002, Koos Vriezen wrote:
> > > On Tue, 4 Jun 2002, Harri Porten wrote:
> > > > The only limit that was and still is there is against too many recursive
> > > > calls to the interpreter (html event->js->html->js->...). I'll try to
> > > > think of something for internal recursions. But I wouldn't know what to
> > > > really do against infinite loops like while(1);. They can be by design and
> > > > harmless but there is no way to abort them, yet. Easier with threading.
> > >
> > > Maybe use SIGALARM?
> >
> > Just a small hack that stops a 'while(true);' script after 5 seconds:
>
> SIGALARM is also the best solution I can think of. But it needs more
> thinking as it has to be made more flexible. If the interpreter hangs in
> a call to an interactive function (e.g. window.alert()) it's perfectly
> acceptable to wait infinitely.

Yes, also thought about the debugger case. Just set 'alarm(0)' seems the
best option.
User input all comes from khtml/ecma/kjs_window, that could do a
  int remaining = alarm(0);
  ....
  alarm(remaining);
Same for LiveConnect calls, or for Java maybe:
  int alarmhandler(int)
    if (user says terminate)
      kjas.destroy.applet.thread

Can you think of other cases?

Hmmm, just looked at the setitimer manpage. ITIMER_VIRTUAL seems a good
option. It doesn't decrement with 'window.alert' alikes. We also get
milli seconds resolution. Eg.

  signal(SIGVTALRM, alarmHandler);
  struct itimerval tv = { { 2, 0}, { 5, 0 } };
  setitimer(ITIMER_VIRTUAL, &tv, 0L);
  Completion comp = m_script->evaluate(code, thisNode);
  struct itimerval tv2 = { { 0, 0}, { 0, 0 } };
  setitimer(ITIMER_VIRTUAL, &tv2, 0L);

seems to work. (Strange, without a interval value, the signal is not
delivered.) However, this wouldn't fix the infinitely case ;)

Koos