Mozilla Foundation Security Advisory 2010-75
Title: Buffer overflow while line breaking after document.write with long string
Impact: Critical
Announced: December 9, 2010
Reporter: Dirk Heinrich
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 3.6.13
Firefox 3.5.16
Thunderbird 3.1.7
Thunderbird 3.0.11
SeaMonkey 2.0.11
Description
Dirk Heinrich reported that on Windows platforms when document.write() was called with a very long string a buffer overflow was caused in line breaking routines attempting to process the string for display. Such cases triggered an invalid read past the end of an array causing a crash which an attacker could potentially use to run arbitrary code on a victim's computer.
References
* https://bugzilla.mozilla.org/show_bug.cgi?id=608336
* CVE-2010-3769