Mozilla Foundation Security Advisory 2011-37
Title: Integer underflow when using JavaScript RegExp
Impact: Critical
Announced: September 27, 2011
Reporter: Mark Kaplan
Products: Firefox 3.6
Fixed in: Firefox 3.6.23
Description
Mark Kaplan reported a potentially exploitable crash due to integer underflow when using a large JavaScript RegExp expression. We would also like to thank Mark for contributing the fix for this problem.
The Regular Expression engine was replaced in Firefox 4 and the newer engine does not suffer from this bug.
References
Crash in SpiderMonkey v.1.9.2 during regular expression evaluation
CVE-2011-2998