Mozilla Foundation Security Advisory 2010-77

Crash and remote code execution using HTML tags inside a XUL tree

Announced
December 9, 2010
Reporter
wushi
Impact
Critical
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 3.5.16
  • Firefox 3.6.13
  • SeaMonkey 2.0.11

Description

Security researcher wushi of team509 reported that when a XUL tree had an HTML <div> element nested inside a <treechildren> element then code attempting to display content in the XUL tree would incorrectly treat the <div> element as a parent node to tree content underneath it resulting in incorrect indexes being calculated for the child content. These incorrect indexes were used in subsequent array operations which resulted in writing data past the end of an allocated buffer. An attacker could use this issue to crash a victim's browser and run arbitrary code on their machine.

References