Upper bound check bypass due to signed compare in SharedBufferManagerParent::RecvAllocateGrallocBuffer — Mozilla

Mozilla intern Julian Hector discovered a regression in the graphics buffer management of Firefox OS's graphics layer that would lead to graphics memory corruption by providing negative size parameters. JavaScript can not access the graphics layer in a way required to trigger this vulnerability,...