Mozilla Foundation Security Advisory 2010-75

Buffer overflow while line breaking after document.write with long string

Announced
December 9, 2010
Reporter
Dirk Heinrich
Impact
Critical
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 3.5.16
  • Firefox 3.6.13
  • SeaMonkey 2.0.11
  • Thunderbird 3.0.11
  • Thunderbird 3.1.7

Description

Dirk Heinrich reported that on Windows platforms when document.write() was called with a very long string a buffer overflow was caused in line breaking routines attempting to process the string for display. Such cases triggered an invalid read past the end of an array causing a crash which an attacker could potentially use to run arbitrary code on a victim's computer.

References