Closed Bug 883605 Opened 11 years ago Closed 11 years ago

Mozilla firefox 21.0 use after free

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
21 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 664009

People

(Reporter: mr.k4rizma, Unassigned)

Details

Attachments

(1 file)

The test File
9.21 KB, text/plain
Details
Attached file The test File 
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0 (Beta/Release)
Build ID: 20130511120803

Steps to reproduce:

I created a test script in mozilla firefox 


Actual results:

firefox get crashed and get a heap spray which is can be contoled yto exucute a code
This looks similar to bug 664009.  The core of this seems to be reduceRight on an array.
Assignee: nobody → general
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
This test case is pretty much identical to one you find when you google "firefox reduceRight exploit", in reference to CVE-2011-2371, so I'm going to assume this is a dupe...
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: