A heap memory buffer overflow vulnerability exists within the WebKit’s JavaScriptCore JSArray::sort(…) method. This method accepts the user-defined JavaScript function and calls it from the native code to compare array items. If this compare function reduces array length, then the trailing array items will be written outside the “m_storage->m_vector[]” buffer, which leads to the heap memory corruption. This finding was purchased through the Packet Storm Bug Bounty program…. A heap memory buffer overflow vulnerability exists within the WebKit’s JavaScriptCore JSArray::sort(…) method. This method accepts the user-defined JavaScript function and calls it from the native code to compare array items. If this compare function reduces array length, then the trailing array items will be written outside the “m_storage->m_vector[]” buffer, which leads to the heap memory corruption. This finding was purchased through the Packet Storm Bug Bounty program.

Read more http://packetstormsecurity.com/files/123089/PSA-2013-0903-1.txt