Mozilla Foundation Security Advisory 2014-59

Use-after-free in DirectWrite font handling

Announced
July 22, 2014
Reporter
James Kitchener
Impact
Critical
Products
Firefox, Firefox ESR, Thunderbird
Fixed in
  • Firefox 31
  • Firefox ESR 24.7
  • Thunderbird 24.7
  • Thunderbird 31

Description

Mozilla community member James Kitchener reported a crash in DirectWrite when rendering MathML content with specific fonts due to an error in how font resources and tables are handled. This leads to use-after-free of a DirectWrite font-face object, resulting in a potentially exploitable crash.

This issue is limited to the Windows platform and does not affect OS X or Linux systems. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.

References