Mozilla Foundation Security Advisory 2010-75
Buffer overflow while line breaking after document.write with long string
- Announced
- December 9, 2010
- Reporter
- Dirk Heinrich
- Impact
- Critical
- Products
- Firefox, SeaMonkey, Thunderbird
- Fixed in
- 
        - Firefox 3.5.16
- Firefox 3.6.13
- SeaMonkey 2.0.11
- Thunderbird 3.0.11
- Thunderbird 3.1.7
 
Description
Dirk Heinrich reported that on Windows platforms
when document.write() was called with a very long string
a buffer overflow was caused in line breaking routines attempting to
process the string for display.  Such cases triggered an invalid read
past the end of an array causing a crash which an attacker could
potentially use to run arbitrary code on a victim's computer.