Sun

The following bug was tested on Mozilla Firefox 1.5.0.2 running on Gentoo Linux. This bug was fixed in Firefox 1.5.0.3, after three other people reported this issue to Mozilla. This bug results in a function pointer being called that no longer exists on the heap. Exploiting it is more annoying than difficult, since getting user-provided memory to map over the free'd object pointer is more convoluted than it should be.



This bug was addressed in MFSA2006-30.
This bug has been added to the OSVDB:
Mozilla Firefox iframe.contentWindow.focus() Overflow