CESA-2009-010 - rev 1
[See all my vulnerabilities at
http://scary.beasts.org/security]
[Blog if you want to subscribe to new findings is at
http://scarybeastsecurity.blogspot.com/]
WebKit off-by-one heap overflow
Programs affected: WebKit consumers (Safari, Chrome etc).
Severity: Possible code execution (within sandbox depending on browser).
CVE-2009-1725
The bug is best described with the simple patch that fixes it:
http://trac.webkit.org/changeset/44799/trunk/WebCore/html/HTMLTokenizer.cpp
For further technical considerations on 1-byte heap overflows, I enjoyed this
paper at BlackHat Vegas 2009:
http://www.blackhat.com/presentations/bh-usa-09/MCDONALD/BHUSA09-McDonald-WindowsHeap-PAPER.pdf
Long since fixed in the latest Apple / Chrome updates.
CESA-2009-010 - rev 1
Chris Evans
scarybeasts@gmail.com