Corrupt JIT state after deep return from native function

ID MFSA2009-41
Type mozilla
Reporter Mozilla Foundation
Modified 2009-07-16T00:00:00


Firefox user zbyte reported a crash that we determined could result in an exploitable memory corruption problem. In certain cases after a return from a native function, such as escape(), the Just-in-Time (JIT) compiler could get into a corrupt state. This could be exploited by an attacker to run arbitrary code such as installing malware.

We would like to thank community members Lucas Kruijswijk and Nochum Sossonko for isolating the problematic script from the original crashing site.

This vulnerability does not affect earlier versions of Firefox which do not support the JIT feature.