Mozilla Foundation Security Advisory 2010-77
Title: Crash and remote code execution using HTML tags inside a XUL tree
Announced: December 9, 2010
Products: Firefox, SeaMonkey
Fixed in: Firefox 3.6.13
Security researcher wushi of team509 reported that when a XUL tree had an HTML <div> element nested inside a <treechildren> element then code attempting to display content in the XUL tree would incorrectly treat the <div> element as a parent node to tree content underneath it resulting in incorrect indexes being calculated for the child content. These incorrect indexes were used in subsequent array operations which resulted in writing data past the end of an allocated buffer. An attacker could use this issue to crash a victim's browser and run arbitrary code on their machine.