Mozilla Foundation Security Advisory 2010-50
Title: Frameset integer overflow vulnerability
Announced: September 7, 2010
Reporter: Chris Rohlf
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 3.6.9
Security researcher Chris Rohlf of Matasano Security reported that the implementation of the HTML frameset element contained an integer overflow vulnerability. The code responsible for parsing the frameset columns used an 8-byte counter for the column numbers, so when a very large number of columns was passed in the counter would overflow. When this counter was subsequently used to allocate memory for the frameset, the memory buffer would be too small, potentially resulting in a heap buffer overflow and execution of attacker-controlled memory.