Mozilla Foundation Security Advisory 2005-15

Heap overflow possible in UTF8 to Unicode conversion

Announced

February 24, 2005

Reporter

wind li

Risk

Low

Impact

High

Products

Firefox, Mozilla Suite, Thunderbird

Fixed in

Firefox 1.0.1
Mozilla Suite 1.7.6
Thunderbird 1.0.2

Description

It is possible for a UTF8 string with invalid sequences to trigger a heap overflow of converted Unicode data. Exploitability would depend on the attackers ability to get the string into the buggy converter. General web content is converted elsewhere but we can't rule out the possibility of a successful attack.

Workaround

Upgrade to a version that contains this fix.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=241440

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice