Mozilla Foundation Security Advisory 2010-29
Title: Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal
Announced: June 22, 2010
Reporter: Nils (MWR InfoSecurity)
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 3.6.4
Security researcher Nils of MWR InfoSecurity reported that the routine for setting the text value for certain types of DOM nodes contained an integer overflow vulnerability. When a very long string was passed to this routine, the integer value used in creating a new memory buffer to hold the string would overflow, resulting in too small a buffer being allocated. An attacker could use this vulnerability to write data past the end of the buffer, causing a crash and potentially running arbitrary code on a victim's computer.