Use-after-free in the Text Track Manager for HTML video
- April 29, 2014
- Abhishek Arya
- Firefox, SeaMonkey
- Fixed in
- Firefox 29
- SeaMonkey 2.26
Using the Address Sanitizer tool, security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team found a use-after-free in the Text Track Manager while processing HTML video. This was caused by inconsistent garbage collection of Text Track Manager variables and results in a potentially exploitable crash.
In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but is potentially a risk in browser or browser-like contexts.