An integer overflow can occur in the SwizzleData code while calculating buffer sizes. The overflowed value is used for subsequent graphics computations when their inputs are not sanitized which results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60, Firefox ESR < 60.1, and Firefox < 61.
The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
| Link | Tags |
|---|---|
| https://security.gentoo.org/glsa/201810-01 | vendor advisory mitigation third party advisory |
| https://www.mozilla.org/security/advisories/mfsa2018-15/ | vendor advisory |
| https://lists.debian.org/debian-lts-announce/2018/11/msg00011.html | third party advisory mailing list |
| https://security.gentoo.org/glsa/201811-13 | vendor advisory mitigation third party advisory |
| https://www.debian.org/security/2018/dsa-4295 | third party advisory vendor advisory |
| https://www.mozilla.org/security/advisories/mfsa2018-16/ | vendor advisory |
| http://www.securitytracker.com/id/1041193 | third party advisory vdb entry |
| https://www.mozilla.org/security/advisories/mfsa2018-19/ | vendor advisory |
| https://bugzilla.mozilla.org/show_bug.cgi?id=1463244 | issue tracking permissions required |
| http://www.securityfocus.com/bid/104558 | third party advisory vdb entry |
| https://usn.ubuntu.com/3705-1/ | third party advisory vendor advisory |