Mozilla Foundation Security Advisory 2012-23

Invalid frees causes heap corruption in gfxImageSurface

Announced
April 24, 2012
Reporter
Atte Kettunen
Impact
Critical
Products
Firefox, Firefox ESR, SeaMonkey, Thunderbird, Thunderbird ESR
Fixed in
  • Firefox 12
  • Firefox ESR 10.0.4
  • SeaMonkey 2.9
  • Thunderbird 12
  • Thunderbird ESR 10.0.4

Description

Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG found a heap corruption in gfxImageSurface which allows for invalid frees and possible remote code execution. This happens due to float error, resulting from graphics values being passed through different number systems.

References