Download Firefox

Firefox is no longer supported on Windows 8.1 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox is no longer supported on macOS 10.14 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox Privacy Notice

Mozilla Foundation Security Advisory 2009-67

Integer overflow, crash in libtheora video library

Announced
December 15, 2009
Reporter
Dan Kaminsky, David Keeler
Impact
Critical
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 3.5.6
  • SeaMonkey 2.0.1
  • Thunderbird 3.0.1

Description

Security researcher Dan Kaminsky reported an integer overflow in the Theora video library. A video's dimensions were being multiplied together and used in particular memory allocations. When the video dimensions were sufficiently large, the multiplication could overflow a 32-bit integer resulting in too small a memory buffer being allocated for the video. An attacker could use a specially crafted video to write data past the bounds of this buffer, causing a crash and potentially running arbitrary code on a victim's computer.

Mozilla intern David Keeler also independently reported this issue as well as an additional crash which was determined to be a denial-of-service.

Video capabilities were added to the Mozilla browser engine in Firefox 3.5, SeaMonkey 2.0, and Thunderbird 3.0; prior releases of these products were not affected.

These bugs were fixed upstream in Theora version 1.1 ("Thusnelda") but the older version used in Firefox 3.5 needed this patch.

References