Mozilla Foundation Security Advisory 2010-03
Title: Use-after-free crash in HTML parser
Announced: February 17, 2010
Reporter: Alin Rad Pop
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 3.6
Security researcher Alin Rad Pop of Secunia Research reported that the HTML parser incorrectly freed used memory when insufficient space was available to process remaining input. Under such circumstances, memory occupied by in-use objects was freed and could later be filled with attacker-controlled text. These conditions could result in the execution or arbitrary code if methods on the freed objects were subsequently called.