Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24321
HistoryJul 24, 2010 - 12:00 a.m.

Mozilla Foundation Security Advisory 2010-48

2010-07-2400:00:00
vulners.com
26

Mozilla Foundation Security Advisory 2010-48

Title: Dangling pointer crash regression from plugin parameter array fix
Impact: Critical
Announced: July 20, 2010
Reporter: Daniel Holbert
Products: Firefox 3.6.7

Fixed in: Firefox 3.6.8
Description

Mozilla developer Daniel Holbert reported that the fix to the plugin parameter array crash that was fixed in Firefox 3.6.7 caused a crash showing signs of memory corruption. In certain circumstances, properties in the plugin instance's parameter array could be freed prematurely leaving a dangling pointer that the plugin could execute, potentially calling into attacker-controlled memory.

Firefox 3.5.11 was also affected by the regression but the equivalent pointer was always initialized to NULL and not exploitable.
References

* https://bugzilla.mozilla.org/show_bug.cgi?id=575836
* CVE-2010-2755