Mozilla Foundation Security Advisory 2015-18

Double-free when using non-default memory allocators with a zero-length XHR

Announced

February 24, 2015

Reporter

Abhishek Arya, Gary Kwong

Impact

High

Products

Firefox, SeaMonkey

Fixed in

Firefox 36
SeaMonkey 2.33

Description

Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team and Mozilla security developer Gary Kwong used the Address Sanitizer tool to discover a double-free error when sending a zero-length XmlHttpRequest (XHR). This was due to errors in memory allocation when using different memory allocator libraries than jemalloc used by Mozilla builds. When those other memory allocators are used for build compilation, this could cause a potentially exploitable crash during some XHR actions.

This vulnerability does not happen in Firefox as built by Mozilla, but can occur when Firefox is built using a memory allocator that follows older pre-standard behaviors.

References

AddressSanitizer: double-free with zero-length XHR (CVE-2015-0828)
Heap-double-free in nsXMLHttpRequest::GetResponse

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2015-18

Double-free when using non-default memory allocators with a zero-length XHR

Description

References