Buffer overflow and use-after-free issues found using Address Sanitizer

Buffer overflow and use-after-free issues found using Address Sanitizer

Announced

June 5, 2012

Reporter

Abhishek Arya

Impact

Critical

Products

Firefox, Firefox ESR, SeaMonkey, Thunderbird, Thunderbird ESR

Fixed in

• Firefox 13
• Firefox ESR 10.0.5
• SeaMonkey 2.10
• Thunderbird 13
• Thunderbird ESR 10.0.5

Description

Security researcher Abhishek Arya of Google used the Address Sanitizer tool to uncover several issues: two heap buffer overflow bugs and a use-after-free problem. The first heap buffer overflow was found in conversion from unicode to native character sets when the function fails. The use-after-free occurs in nsFrameList when working with column layout with absolute positioning in a container that changes size. The second buffer overflow occurs in nsHTMLReflowState when a window is resized on a page with nested columns and a combination of absolute and relative positioning. All three of these issues are potentially exploitable.

References

• Heap-buffer-overflow in utf16_to_isolatin1
• CVE-2012-1947

• Heap-use-after-free in nsFrameList::FirstChild
• CVE-2012-1940

• Heap-buffer-overflow in nsHTMLReflowState::CalculateHypotheticalBox, with nested multi-column, relative position, and absolute position
• CVE-2012-1941