Mozilla Foundation Security Advisory 2012-10
Title: use after free in nsXBLDocumentInfo::ReadPrototypeBindings
Announced: February 10, 2012
Reporter: Andrew McCreight, Olli Pettay
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 10.0.1
Firefox ESR 10.0.1
Thunderbird ESR 10.0.1
Mozilla developers Andrew McCreight and Olli Pettay found that ReadPrototypeBindings will leave a XBL binding in a hash table even when the function fails. If this occurs, when the cycle collector reads this hash table and attempts to do a virtual method on this binding a crash will occur. This crash may be potentially exploitable.
Firefox 9 and earlier are not affected by this vulnerability.