Mozilla Foundation Security Advisory 2010-39

2010-07-24T00:00:00
ID SECURITYVULNS:DOC:24312
Type securityvulns
Reporter Securityvulns
Modified 2010-07-24T00:00:00

Description

Mozilla Foundation Security Advisory 2010-39

Title: nsCSSValue::Array index integer overflow Impact: Critical Announced: July 20, 2010 Reporter: J23 (via TippingPoint's Zero Day Initiative) Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.6.7 Firefox 3.5.11 Thunderbird 3.1.1 Thunderbird 3.0.6 SeaMonkey 2.0.6 Description

Security researcher J23 reported via TippingPoint's Zero Day Initiative that an array class used to store CSS values contained an integer overflow vulnerability. The 16 bit integer value used in allocating the size of the array could overflow, resulting in too small a memory buffer being created. When the array was later populated with CSS values data would be written past the end of the buffer potentially resulting in the execution of attacker-controlled memory. References

* https://bugzilla.mozilla.org/show_bug.cgi?id=574059
* CVE-2010-2752