CVE-2022-34480: 
NixOS vulnerability analysis and mitigation

CVE-2022-34480 is a vulnerability discovered in Firefox versions prior to 102, reported by Ronald Crane. The vulnerability was disclosed on June 28, 2022, and affects the lg_init() function in Firefox's security component. This issue occurs when several allocations succeed but then one fails, resulting in an uninitialized pointer being freed despite never being allocated (Mozilla Advisory).

The vulnerability exists within the lginit() function where if several memory allocations succeed but then one fails, an uninitialized pointer would be freed despite never being allocated. The issue specifically occurs when line 511 fails (such as with an Out of Memory condition), causing lines 512-14 to transfer control to lines 544 and subsequent lines, where line 552 would read the uninitialized pointer lgdb->hashtable. If this pointer is nonzero, line 553 would attempt to destroy it, potentially leading to memory corruption ([Mozilla Bug](https://bugzilla.mozilla.org/showbug.cgi?id=1454072)). The vulnerability has been assigned a low severity impact rating by Mozilla (Mozilla Advisory).

The vulnerability has been classified with a low impact severity. While it could lead to memory corruption, it was considered more of a bug than something that could be intentionally exploited, as it would require successfully getting past multiple PORTAllocs and then triggering an Out of Memory condition in exactly the right place ([Mozilla Bug](https://bugzilla.mozilla.org/showbug.cgi?id=1454072)).

The vulnerability was fixed in Firefox version 102. Users should upgrade to Firefox 102 or later to receive the security fix. The fix was also backported to Firefox ESR versions (Mozilla Advisory).