Mozilla Foundation Security Advisory 2014-54

Buffer overflow in Gamepad API

Announced
June 10, 2014
Reporter
Looben Yang
Impact
High
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 30
  • SeaMonkey 2.26.1

Description

Security researcher Looben Yang reported a buffer overflow in Gamepad API when it is exercised with a gamepad device with non-contiguous axes. This can be either an actual physical device or by the installation of a virtual gamepad. This results in a potentially exploitable crash. The Gamepad API was introduced in Firefox 29 and this issue does not affect earlier versions.

This issue occurs only on Windows 8 with a gamepad or virtual gamepad attached.

References