Writing to cycle collected object during image decoding

ID MFSA2013-97
Type mozilla
Reporter Mozilla Foundation
Modified 2013-10-29T00:00:00


Mozilla community member Ezra Pool reported a potentially exploitable crash on extremely large pages. This was caused when a cycle collected image object was released on the wrong thread during decoding, creating a race condition.

In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but is potentially a risk in browser or browser-like contexts.