Mozilla Foundation Security Advisory 2010-41
Title: Remote code execution using malformed PNG image
Announced: July 20, 2010
Reporter: Aki Helin
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 3.6.7
OUSPG researcher Aki Helin reported a buffer overflow in Mozilla graphics code which consumes image data processed by libpng. A malformed PNG file could be created which would cause libpng to incorrectly report the size of the image to downstream consumers. When the dimensions of such images are underreported, the Mozilla code responsible for displaying the graphic will allocate too small a memory buffer to contain the image data and will wind up writing data past the end of the buffer. This could result in the execution of attacker-controlled memory.