You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2011-22

Mozilla Foundation Security Advisory 2011-22

Title: Integer overflow and arbitrary code execution in Array.reduceRight()
Impact: Critical
Announced: June 21, 2011
Reporter: Chris Rohlf and Yan Ivnitskiy
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 5
  Firefox 3.6.18
  Thunderbird 3.1.11
  SeaMonkey 2.2

Description

Security researchers Chris Rohlf and Yan Ivnitskiy of Matasano Security reported that when a JavaScript Array object had its length set to an extremely large value, the iteration of array elements that occurs when its reduceRight method was subsequently called could result in the execution of attacker controlled memory due to an invalid index value being used to access element properties.

References