SVG buffer overflow and use-after-free issues

2012-08-28T00:00:00
ID MFSA2012-63
Type mozilla
Reporter Mozilla Foundation
Modified 2012-08-28T00:00:00

Description

Security researcher Arthur Gerkis used the Address Sanitizer tool to find two issues involving Scalable Vector Graphics (SVG) files. The first issue is a buffer overflow in Gecko's SVG filter code when the sum of two values is too large to be stored as a signed 32-bit integer, causing the function to write past the end of an array. The second issue is a use-after-free when an element with a "requiredFeatures" attribute is moved between documents. In that situation, the internal representation of the "requiredFeatures" value could be freed prematurely. Both issues are potentially exploitable.