Crash and remote code execution using HTML tags inside a XUL tree — Mozilla

Security researcher wushi of team509 reported that when a XUL tree had an HTML

element nested inside a element then code attempting to display content in the XUL tree would incorrectly treat the

element as a parent node to tree content underneath it resulting in incorrect indexes being calculated for the child content. These incorrect indexes were used in subsequent array operations which resulted in writing data past the end of an allocated buffer. An attacker could use this issue to crash a victim’s browser and run arbitrary code on their machine.