You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2012-63

Mozilla Foundation Security Advisory 2012-63

Title: SVG buffer overflow and use-after-free issues
Impact: Critical
Announced: August 28, 2012
Reporter: Arthur Gerkis
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 15
  Firefox ESR 10.0.7
  Thunderbird 15
  Thunderbird ESR 10.0.7
  SeaMonkey 2.12

Description

Security researcher Arthur Gerkis used the Address Sanitizer tool to find two issues involving Scalable Vector Graphics (SVG) files. The first issue is a buffer overflow in Gecko's SVG filter code when the sum of two values is too large to be stored as a signed 32-bit integer, causing the function to write past the end of an array. The second issue is a use-after-free when an element with a "requiredFeatures" attribute is moved between documents. In that situation, the internal representation of the "requiredFeatures" value could be freed prematurely. Both issues are potentially exploitable.

References