Mozilla Foundation Security Advisory 2010-03

Use-after-free crash in HTML parser

Announced
February 17, 2010
Reporter
Alin Rad Pop
Impact
Critical
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 3.0.18
  • Firefox 3.5.8
  • Firefox 3.6
  • SeaMonkey 2.0.3
  • Thunderbird 3.0.2

Description

Security researcher Alin Rad Pop of Secunia Research reported that the HTML parser incorrectly freed used memory when insufficient space was available to process remaining input. Under such circumstances, memory occupied by in-use objects was freed and could later be filled with attacker-controlled text. These conditions could result in the execution or arbitrary code if methods on the freed objects were subsequently called.

References