Use-after-free when resizing canvas element during restyling
- August 27, 2015
- Jean-Max Reymond
- Firefox, Firefox ESR, SeaMonkey
- Fixed in
- Firefox 40.0.3
- Firefox ESR 38.2.1
- SeaMonkey 2.35
Mozilla community member Jean-Max Reymond discovered a use-after-free
vulnerability with a
<canvas> element on a page. This occurs when a
resize event is triggered in concert with style changes but the canvas references have
been recreated in the meantime, destroying the originally referenced context. This results
in an exploitable crash.
Ucha Gobejishvili, working with HP's Zero Day Initiative, subsequently reported this same issue.