Your system may not meet the requirements for Firefox, but you can try one of these versions:

Your system doesn't meet the requirements to run Firefox.

Your system doesn't meet the requirements to run Firefox.

Please follow these instructions to install Firefox.

Firefox Privacy Notice

Mozilla Foundation Security Advisory 2009-67

Integer overflow, crash in libtheora video library

Announced
December 15, 2009
Reporter
Dan Kaminsky, David Keeler
Impact
Critical
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 3.5.6
  • SeaMonkey 2.0.1
  • Thunderbird 3.0.1

Description

Security researcher Dan Kaminsky reported an integer overflow in the Theora video library. A video's dimensions were being multiplied together and used in particular memory allocations. When the video dimensions were sufficiently large, the multiplication could overflow a 32-bit integer resulting in too small a memory buffer being allocated for the video. An attacker could use a specially crafted video to write data past the bounds of this buffer, causing a crash and potentially running arbitrary code on a victim's computer.

Mozilla intern David Keeler also independently reported this issue as well as an additional crash which was determined to be a denial-of-service.

Video capabilities were added to the Mozilla browser engine in Firefox 3.5, SeaMonkey 2.0, and Thunderbird 3.0; prior releases of these products were not affected.

These bugs were fixed upstream in Theora version 1.1 ("Thusnelda") but the older version used in Firefox 3.5 needed this patch.

References