Mozilla Foundation Security Advisory 2018-08

Out of bounds memory write while processing Vorbis audio data

Announced
March 16, 2018
Impact
critical
Products
Firefox, Firefox ESR
Fixed in
  • Firefox 59.0.1
  • Firefox ESR 52.7.2

#CVE-2018-5146: Out of bounds memory write in libvorbis

Reporter
Richard Zhu via Trend Micro's Zero Day Initiative
Impact
critical
Description

An out of bounds memory write while processing Vorbis audio data was reported through the Pwn2Own contest.

References

#CVE-2018-5147: Out of bounds memory write in libtremor

Reporter
Huzaifa Sidhpurwala
Impact
critical
Description

The libtremor library has the same flaw as CVE-2018-5146. This library is used by Firefox in place of libvorbis on Android and ARM platforms.

References