Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that JavaScript arrays were vulnerable to an integer overflow vulnerability. The report demonstrated that an array could be constructed containing a very large number of items such that when memory was allocated to store the array items, the integer value used to calculate the buffer size would overflow resulting in too small a buffer being allocated. Subsequent use of the array object could then result in data being written past the end of the buffer and causing memory corruption.
This is now public: http://www.mozilla.org/security/announce/2010/mfsa2010-81.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2010:0966 https://rhn.redhat.com/errata/RHSA-2010-0966.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2010:0967 https://rhn.redhat.com/errata/RHSA-2010-0967.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2010:0968 https://rhn.redhat.com/errata/RHSA-2010-0968.html