Crash in incremental garbage collection in JavaScript

2016-08-02T00:00:00
ID MFSA2016-71
Type mozilla
Reporter Mozilla Foundation
Modified 2016-08-02T00:00:00

Description

Security researcher Jukka Jylänki reported a use-after-free in JavaScript caused by how objects and pointers are handled during incremental garbage collection in some circumstances working with object groups. When triggered, this causes a potential exploitable crash but is mitigated by the difficulties in controlling the crash and its output.