Mozilla Foundation Security Advisory 2010-39

nsCSSValue::Array index integer overflow

Announced

July 20, 2010

Reporter

J23 (via TippingPoint's Zero Day Initiative)

Impact

Critical

Products

Firefox, SeaMonkey, Thunderbird

Fixed in

Firefox 3.5.11
Firefox 3.6.7
SeaMonkey 2.0.6
Thunderbird 3.0.6
Thunderbird 3.1.1

Description

Security researcher J23 reported via TippingPoint's Zero Day Initiative that an array class used to store CSS values contained an integer overflow vulnerability. The 16 bit integer value used in allocating the size of the array could overflow, resulting in too small a memory buffer being created. When the array was later populated with CSS values data would be written past the end of the buffer potentially resulting in the execution of attacker-controlled memory.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=574059
CVE-2010-2752

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2010-39

nsCSSValue::Array index integer overflow

Description

References