Endpoint Vulnerability

Out-of-bounds read/write through neutering ArrayBuffer objects


Security researcher J ri Aedla, via TippingPoint's Pwn2Own contest, reported that TypedArrayObject does not handle the case where ArrayBuffer objects are neutered, setting their length to zero while still in use. This leads to out-of-bounds reads and writes into the JavaScript heap, allowing for arbitrary code execution.

Affected Products

Firefox ESR