A use-after-free vulnerability can occur when the SMIL animation controller incorrectly registers with the refresh driver twice when only a single registration is expected. When a registration is later freed with the removal of the animation controller element, the refresh driver incorrectly leaves a dangling pointer to the driver's observer array. External Reference: https://www.mozilla.org/en-US/security/advisories/mfsa2019-08/#CVE-2019-9796
Acknowledgments: Name: the Mozilla project Upstream: Nils
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:0622 https://access.redhat.com/errata/RHSA-2019:0622
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:0623 https://access.redhat.com/errata/RHSA-2019:0623
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:0680 https://access.redhat.com/errata/RHSA-2019:0680
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:0681 https://access.redhat.com/errata/RHSA-2019:0681
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:0966 https://access.redhat.com/errata/RHSA-2019:0966
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1144 https://access.redhat.com/errata/RHSA-2019:1144