It was reported that unspecified memory allocation bug related to PR_*printf functions was fixed in nspr 4.12. External Reference: https://groups.google.com/forum/#!topic/mozilla.dev.tech.nspr/dV4MyMsg6jw
Upstream bug report: https://bugzilla.mozilla.org/show_bug.cgi?id=1174015 Upstream commit: https://hg.mozilla.org/projects/nspr/rev/96381e3aaae2
This issue was fixed in nspr-4.12 Fedora 22 and Fedora 23 currently ship nspr-4.12 and therefore is not affected by this flaw.
This issue will be fixed in the next nspr rebase in minor versions of RHEL 6 and 7.
Analysis: There is an integer overflow followed by a heap-buffer overflow in the functions PR_vsmprintf() and PR_vsprintf_append(). Both of these functions internally use GrowStuff() which uses 32-bit integers to calculate string sizes which results in overflow at different places depending on 32-bit or 64-bit architecture. Applications compiled against NSS library, in which very large untrusted strings are passed to the above functions are vulnerable to this flaw.