Mozilla Foundation Security Advisory 2014-59
Use-after-free in DirectWrite font handling
- July 22, 2014
- James Kitchener
- Firefox, Firefox ESR, Thunderbird
- Fixed in
- Firefox 31
- Firefox ESR 24.7
- Thunderbird 24.7
- Thunderbird 31
Mozilla community member James Kitchener reported a crash in DirectWrite when rendering MathML content with specific fonts due to an error in how font resources and tables are handled. This leads to use-after-free of a DirectWrite font-face object, resulting in a potentially exploitable crash.
This issue is limited to the Windows platform and does not affect OS X or Linux systems. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.