Mozilla Foundation Security Advisory 2010-37
Title: Plugin parameter EnsureCachedAttrParamArrays remote code execution vulnerability
Announced: July 20, 2010
Reporter: J23 (via TippingPoint's Zero Day Initiative)
Products: Firefox, SeaMonkey
Fixed in: Firefox 3.6.7
Security researcher J23 reported via TippingPoint's Zero Day Initiative an error in the code used to store the names and values of plugin parameter elements. A malicious page could embed plugin content containing a very large number of parameter elements which would cause an overflow in the integer value counting them. This integer is later used in allocating a memory buffer used to store the plugin parameters. Under such conditions, too small a buffer would be created and attacker-controlled data could be written past the end of the buffer, potentially resulting in code execution.