Dirk Heinrich reported that on Windows platforms
when document.write()
was called with a very long string
a buffer overflow was caused in line breaking routines attempting to
process the string for display. Such cases triggered an invalid read
past the end of an array causing a crash which an attacker could
potentially use to run arbitrary code on a victim's computer.