Mozilla Foundation Security Advisory 2015-39

Use-after-free due to type confusion flaws

Announced
March 31, 2015
Reporter
Nils
Impact
Critical
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 37
  • SeaMonkey 2.35

Description

Security researcher Nils used the Address Sanitizer tool to discover two type confusion flaws. The first of these occurs while setting specific attributes of a source element resulting in incorrect object casting. The second flaw occurs when binding a source to a tree when the function fails to validate the namespace. These flaws lead to use-after-free errors, resulting in potentially exploitable crashes.

References