Upper bound check bypass due to signed compare in SharedBufferManagerParent::RecvAllocateGrallocBuffer

ID MFSA2015-77
Type mozilla
Reporter Mozilla Foundation
Modified 2015-08-06T00:00:00


Mozilla intern Julian Hector discovered a regression in the graphics buffer management of Firefox OS's graphics layer that would lead to graphics memory corruption by providing negative size parameters. JavaScript can not access the graphics layer in a way required to trigger this vulnerability, but it could be potentially used in a staged attack.