Mozilla Foundation Security Advisory 2012-10
use after free in nsXBLDocumentInfo::ReadPrototypeBindings
- Announced
- February 10, 2012
- Reporter
- Andrew McCreight, Olli Pettay
- Impact
- Critical
- Products
- Firefox, Firefox ESR, SeaMonkey, Thunderbird, Thunderbird ESR
- Fixed in
- 
        - Firefox 10.0.1
- Firefox ESR 10.0.1
- SeaMonkey 2.7.1
- Thunderbird 10.0.1
- Thunderbird ESR 10.0.1
 
Description
Mozilla developers Andrew McCreight and Olli Pettay found that ReadPrototypeBindings will leave a XBL binding in a hash table even when the function fails. If this occurs, when the cycle collector reads this hash table and attempts to do a virtual method on this binding a crash will occur. This crash may be potentially exploitable.
Firefox 9 and earlier are not affected by this vulnerability.