Closed Bug 883605 Opened 6 years ago Closed 6 years ago

Mozilla firefox 21.0 use after free

Categories

(Core :: JavaScript Engine, defect)

21 Branch
x86
Windows XP
defect
Not set

Tracking

()

RESOLVED DUPLICATE of bug 664009

People

(Reporter: mr.k4rizma, Unassigned)

Details

Attachments

(1 file)

Attached file The test File
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0 (Beta/Release)
Build ID: 20130511120803

Steps to reproduce:

I created a test script in mozilla firefox 


Actual results:

firefox get crashed and get a heap spray which is can be contoled yto exucute a code
This looks similar to bug 664009.  The core of this seems to be reduceRight on an array.
Assignee: nobody → general
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
This test case is pretty much identical to one you find when you google "firefox reduceRight exploit", in reference to CVE-2011-2371, so I'm going to assume this is a dupe...
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: CVE-2011-2371
Group: core-security
You need to log in before you can comment on or make changes to this bug.