Mozilla Foundation Security Advisory 2010-29

Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal

Announced
June 22, 2010
Reporter
Nils (MWR InfoSecurity)
Impact
Critical
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 3.5.10
  • Firefox 3.6.4
  • SeaMonkey 2.0.5
  • Thunderbird 3.0.5

Description

Security researcher Nils of MWR InfoSecurity reported that the routine for setting the text value for certain types of DOM nodes contained an integer overflow vulnerability. When a very long string was passed to this routine, the integer value used in creating a new memory buffer to hold the string would overflow, resulting in too small a buffer being allocated. An attacker could use this vulnerability to write data past the end of the buffer, causing a crash and potentially running arbitrary code on a victim's computer.

References