Mozilla Foundation Security Advisory 2006-69

CSS cursor image buffer overflow (Windows only)

Announced
December 19, 2006
Reporter
Frederik Reiss
Impact
Critical
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 1.5.0.9
  • Firefox 2.0.0.1
  • SeaMonkey 1.0.7
  • Thunderbird 1.5.0.9

Description

Frederik Reiss reported a crash when using the CSS cursor property to set the cursor to certain images on Windows. A miscalculated size during conversion of the image to a Windows bitmap can result in a heap buffer overflow which could be used to compromise the victim's computer.

This flaw affects both Firefox 2 and Firefox 1.5 but not the earlier Firefox 1.0 or Mozilla Suite

Workaround

Upgrade to a fixed version.

References