You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2012-52

Mozilla Foundation Security Advisory 2012-52

Title: JSDependentString::undepend string conversion results in memory corruption
Impact: Critical
Announced: July 17, 2012
Reporter: Bill Keese
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 14
  Firefox ESR 10.0.6
  Thunderbird 14
  Thunderbird ESR 10.0.6
  SeaMonkey 2.11


Security researcher Bill Keese reported a memory corruption. This is caused by JSDependentString::undepend changing a dependent string into a fixed string when there are additional dependent strings relying on the same base. When the undepend occurs during conversion, the base data is freed, leaving other dependent strings with dangling pointers. This can lead to a potentially exploitable crash.