Security researcher Arthur Gerkis used the Address Sanitizer tool to find two issues involving Scalable Vector Graphics (SVG) files. The first issue is a buffer overflow in Gecko's SVG filter code when the sum of two values is too large to be stored as a signed 32-bit integer, causing the function to write past the end of an array. The second issue is a use-after-free when an element with a "requiredFeatures" attribute is moved between documents. In that situation, the internal representation of the "requiredFeatures" value could be freed prematurely. Both issues are potentially exploitable. Reference: http://www.mozilla.org/security/announce/2012/mfsa2012-63.html Acknowledgements: Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Arthur Gerkis as the original reporter of this flaw.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2012:1211 https://rhn.redhat.com/errata/RHSA-2012-1211.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Via RHSA-2012:1210 https://rhn.redhat.com/errata/RHSA-2012-1210.html