Mozilla Foundation Security Advisory 2012-61

Memory corruption with bitmap format images with negative height

Announced

August 28, 2012

Reporter

Frédéric Hoguin

Impact

Critical

Products

Firefox, Firefox ESR, SeaMonkey, Thunderbird, Thunderbird ESR

Fixed in

Firefox 15
Firefox ESR 10.0.7
SeaMonkey 2.12
Thunderbird 15
Thunderbird ESR 10.0.7

Description

Security researcher Frédéric Hoguin reported two related issues with the decoding of bitmap (.BMP) format images embedded in icon (.ICO) format files. When processing a negative "height" header value for the bitmap image, a memory corruption can be induced, allowing an attacker to write random memory and cause a crash. This crash may be potentially exploitable.

References

nsICODecoder transparency bitmask memory corruption
nsBMPDecoder alpha channel processing memory corruption
CVE-2012-3966

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2012-61

Memory corruption with bitmap format images with negative height

Description

References