You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2010-40

Mozilla Foundation Security Advisory 2010-40

Title: nsTreeSelection dangling pointer remote code execution vulnerability
Impact: Critical
Announced: July 20, 2010
Reporter: regenrecht (via TippingPoint's Zero Day Initiative)
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.6.7
  Firefox 3.5.11
  Thunderbird 3.1.1
  Thunderbird 3.0.6
  SeaMonkey 2.0.6

Description

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative an integer overflow vulnerability in the implementation of the XUL <tree> element's selection attribute. When the size of a new selection is sufficiently large the integer used in calculating the length of the selection can overflow, resulting in a bogus range being marked selected. When adjustSelection is then called on the bogus range the range is deleted leaving dangling references to the ranges which could be used by an attacker to call into deleted memory and run arbitrary code on a victim's computer.

References