Mozilla Foundation Security Advisory 2010-41
Remote code execution using malformed PNG image
- Announced
- July 20, 2010
- Reporter
- Aki Helin
- Impact
- Critical
- Products
- Firefox, SeaMonkey, Thunderbird
- Fixed in
- 
        - Firefox 3.5.11
- Firefox 3.6.7
- SeaMonkey 2.0.6
- Thunderbird 3.0.6
- Thunderbird 3.1.1
 
Description
OUSPG researcher Aki Helin reported a buffer overflow in Mozilla graphics code which consumes image data processed by libpng. A malformed PNG file could be created which would cause libpng to incorrectly report the size of the image to downstream consumers. When the dimensions of such images are underreported, the Mozilla code responsible for displaying the graphic will allocate too small a memory buffer to contain the image data and will wind up writing data past the end of the buffer. This could result in the execution of attacker-controlled memory.