Mozilla Foundation Security Advisory 2011-22

Integer overflow and arbitrary code execution in Array.reduceRight()

Announced
June 21, 2011
Reporter
Chris Rohlf and Yan Ivnitskiy
Impact
Critical
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 3.6.18
  • Firefox 5
  • SeaMonkey 2.2
  • Thunderbird 3.1.11

Description

Security researchers Chris Rohlf and Yan Ivnitskiy of Matasano Security reported that when a JavaScript Array object had its length set to an extremely large value, the iteration of array elements that occurs when its reduceRight method was subsequently called could result in the execution of attacker controlled memory due to an invalid index value being used to access element properties.

References