You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2010-81

Mozilla Foundation Security Advisory 2010-81

Title: Integer overflow vulnerability in NewIdArray
Impact: Critical
Announced: December 9, 2010
Reporter: regenrecht
Products: Firefox, SeaMonkey

Fixed in: Firefox 3.6.13
  Firefox 3.5.16
  SeaMonkey 2.0.11

Description

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that JavaScript arrays were vulnerable to an integer overflow vulnerability. The report demonstrated that an array could be constructed containing a very large number of items such that when memory was allocated to store the array items, the integer value used to calculate the buffer size would overflow resulting in too small a buffer being allocated. Subsequent use of the array object could then result in data being written past the end of the buffer and causing memory corruption.

References