You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2011-22
Mozilla Foundation Security Advisory 2011-22
Title: Integer overflow and arbitrary code execution in Array.reduceRight()
Impact: Critical
Announced: June 21, 2011
Reporter: Chris Rohlf and Yan Ivnitskiy
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 5
Firefox 3.6.18
Thunderbird 3.1.11
SeaMonkey 2.2
Description
Security researchers Chris Rohlf and Yan
Ivnitskiy of Matasano Security reported that when a
JavaScript Array
object had its length set to an
extremely large value, the iteration of array elements that occurs
when its reduceRight
method was subsequently called could
result in the execution of attacker controlled memory due to an
invalid index value being used to access element properties.