Mozilla Foundation Security Advisory 2011-22

Integer overflow and arbitrary code execution in Array.reduceRight()

Announced

June 21, 2011

Reporter

Chris Rohlf and Yan Ivnitskiy

Impact

Critical

Products

Firefox, SeaMonkey, Thunderbird

Fixed in

Firefox 3.6.18
Firefox 5
SeaMonkey 2.2
Thunderbird 3.1.11

Description

Security researchers Chris Rohlf and Yan Ivnitskiy of Matasano Security reported that when a JavaScript Array object had its length set to an extremely large value, the iteration of array elements that occurs when its reduceRight method was subsequently called could result in the execution of attacker controlled memory due to an invalid index value being used to access element properties.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=664009
CVE-2011-2371

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2011-22

Integer overflow and arbitrary code execution in Array.reduceRight()

Description

References