Use-after-free when resizing canvas element during restyling

2015-08-27T00:00:00
ID MFSA2015-94
Type mozilla
Reporter Mozilla Foundation
Modified 2015-08-27T00:00:00

Description

Mozilla community member Jean-Max Reymond discovered a use-after-free vulnerability with a <canvas> element on a page. This occurs when a resize event is triggered in concert with style changes but the canvas references have been recreated in the meantime, destroying the originally referenced context. This results in an exploitable crash. Ucha Gobejishvili, working with HP's Zero Day Initiative, subsequently reported this same issue.