Уязвимость типа "использование после освобождения" (use-after-free) в Mozilla Firefox и Thunderbird при прокрутке графических слоёв
Описание
При рекурсивном обходе графических слоёв во время прокрутки итератор может стать недействительным, что приводит к уязвимости типа "использование после освобождения" (use-after-free). Это происходит из-за того, что функция APZCTreeManager::ComputeClippedCompositionBounds не соблюдает правила аннулирования указателей.
Затронутые версии ПО
- Firefox до версии 81
- Thunderbird до версии 78.3
- Firefox ESR до версии 78.3
Тип уязвимости
Уязвимость типа "использование после освобождения" (use-after-free)
Ссылки
- Broken LinkMailing ListThird Party Advisory
- Broken LinkMailing ListThird Party Advisory
- Issue TrackingPermissions RequiredVendor Advisory
- Mailing ListThird Party Advisory
- Third Party Advisory
- Third Party Advisory
- Release NotesVendor Advisory
- Release NotesVendor Advisory
- Release NotesVendor Advisory
- Broken LinkMailing ListThird Party Advisory
- Broken LinkMailing ListThird Party Advisory
- Issue TrackingPermissions RequiredVendor Advisory
- Mailing ListThird Party Advisory
- Third Party Advisory
- Third Party Advisory
- Release NotesVendor Advisory
- Release NotesVendor Advisory
- Release NotesVendor Advisory
Уязвимые конфигурации
Одно из
Одно из
Одно из
EPSS
8.8 High
CVSS3
6.8 Medium
CVSS2
Дефекты
Связанные уязвимости
When recursing through graphical layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free. This occurs because the function APZCTreeManager::ComputeClippedCompositionBounds did not follow iterator invalidation rules. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3.
When recursing through graphical layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free. This occurs because the function APZCTreeManager::ComputeClippedCompositionBounds did not follow iterator invalidation rules. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3.
When recursing through graphical layers while scrolling, an iterator m ...
When recursing through graphical layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free. This occurs because the function APZCTreeManager::ComputeClippedCompositionBounds did not follow iterator invalidation rules. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3.
EPSS
8.8 High
CVSS3
6.8 Medium
CVSS2