CSS cursor image buffer overflow (Windows only)
- December 19, 2006
- Frederik Reiss
- Firefox, SeaMonkey, Thunderbird
- Fixed in
- Firefox 220.127.116.11
- Firefox 18.104.22.168
- SeaMonkey 1.0.7
- Thunderbird 22.214.171.124
Frederik Reiss reported a crash when using the CSS cursor property to set the cursor to certain images on Windows. A miscalculated size during conversion of the image to a Windows bitmap can result in a heap buffer overflow which could be used to compromise the victim's computer.
This flaw affects both Firefox 2 and Firefox 1.5 but not the earlier Firefox 1.0 or Mozilla Suite
Upgrade to a fixed version.