Use-after-free issues found using Address Sanitizer

Use-after-free issues found using Address Sanitizer

Announced

August 28, 2012

Reporter

Abhishek Arya

Impact

Critical

Products

Firefox, Firefox ESR, SeaMonkey, Thunderbird, Thunderbird ESR

Fixed in

• Firefox 15
• Firefox ESR 10.0.7
• SeaMonkey 2.12
• Thunderbird 15
• Thunderbird ESR 10.0.7

Description

Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series of use-after-free issues using the Address Sanitizer tool. Many of these issues are potentially exploitable, allowing for remote code execution.

References

• Heap-use-after-free in nsHTMLEditor::CollapseAdjacentTextNodes
• CVE-2012-1972

• Heap-use-after-free in nsObjectLoadingContent::LoadObject
• CVE-2012-1973

• Heap-use-after-free in gfxTextRun::CanBreakLineBefore
• CVE-2012-1974

• Heap-use-after-free in PresShell::CompleteMove
• CVE-2012-1975

• Heap-use-after-free in nsHTMLSelectElement::SubmitNamesValues
• CVE-2012-1976

• Heap-use-after-free in MediaStreamGraphThreadRunnable::Run()
• CVE-2012-3956

• Heap-buffer-overflow in nsBlockFrame::MarkLineDirty
• CVE-2012-3957

• Heap-use-after-free in nsHTMLEditRules::DeleteNonTableElements
• CVE-2012-3958

• Heap-use-after-free in nsRangeUpdater::SelAdjDeleteNode
• CVE-2012-3959

• Heap-use-after-free in mozSpellChecker::SetCurrentDictionary
• CVE-2012-3960

• Heap-use-after-free in RangeData::~RangeData
• CVE-2012-3961

• Bad iterator in text runs
• CVE-2012-3962

• use after free in js::gc::MapAllocToTraceKind
• CVE-2012-3963

• Heap-use-after-free READ 8 in gfxTextRun::GetUserData
• CVE-2012-3964