Security Intelligence

Mozilla Firefox GIF Color Map Parsing Buffer Overflow Vulnerability



Firefox is the Mozilla Foundation's open source internet web browser. Among the browser's capabilities is the display of GIF images. GIF is a widely used image format with features such as loss-less compression, animation and color palettes. For more information, visit the URLs shown below.


Remote exploitation of a buffer overflow in the Mozilla Foundation's libpr0n image processing library allows attackers to execute arbitrary code.

The libpr0n GIF parser was designed using a state machine which is represented as a series of switch/case statements. One particularly interesting state, 'gif_image_header', is responsible for interpreting a single image/frame description record. A single GIF file may contain many images, each with a different color map associated.

The problem lies in the handling of changes to the color map of subsequent images in a multiple-image GIF file. Memory reallocation is not managed correctly and can result in an exploitable heap overflow condition.


Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user running the vulnerable application. To exploit this vulnerability, a targeted user must load a malicious Web page created by an attacker. An attacker typically accomplishes this via social engineering or injecting content into compromised, trusted sites.


iDefense confirmed the existence of this vulnerability using Mozilla Firefox versions 3.0.13 and 3.5.2 on 32-bit Windows XP SP3. Other versions, and potentially other applications using libpr0n, are suspected to be vulnerable.


Although it is not widely viewed as a viable workaround, disabling automatic image loading can prevent exploitation of this vulnerability. The following steps explains how to disable this setting on Firefox 3.0.x.

 1. From the "Tools" menu, select "Options" 2. Navigate to the "Content" settings. 3. Ensure that "Load images automatically" is not checked. 


Mozilla has released a patch which fixes this issue in Firefox 3.5.4, Firefox 3.0.15, and SeaMonkey 2.0. Information about downloadable vendor updates can be found by clicking on the URL shown.


The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2009-3373 to this issue. This is a candidate for inclusion in the CVE list (, which standardizes names for security problems.


08/20/2009 - Initial Vendor Notification
10/27/2009 - Vendor Public Disclosure
10/28/2009 - iDefense Public Disclosure


This vulnerability was reported to iDefense by regenrecht.

Get paid for vulnerability research

Free tools, research and upcoming events


Copyright © 2009 Verisign, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.