Crash and remote code execution in normalizeDocument

2010-09-07T00:00:00
ID MFSA2010-57
Type mozilla
Reporter Mozilla Foundation
Modified 2010-09-07T00:00:00

Description

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that code used to normalize a document contained a logical flaw that could be leveraged to run arbitrary code. When the normalization code ran, a static count of the document's child nodes was used in the traversal, so a page could be constructed that would remove DOM nodes during this normalization which could lead to the accessing of a deleted object and potentially the execution of attacker-controlled memory.