Off-by-one error in the
_web_drawInRect:withFont:ellipsis:alignment:measureOnly function in WebKit
in Safari in Apple iPhone 1.1.4 and 2.0 and iPod touch 1.1.4 and 2.0 allows
remote attackers to cause a denial of service (browser crash) via a
JavaScript alert call with an argument that lacks breakable characters and
has a length that is a multiple of the memory page size, leading to an
out-of-bounds read.
Author | Note |
---|---|
mdeslaur | looks like a safari bug (code not present in webkit) |