Flash: uninitialized memory information leak when shading into a ByteArray (#2)

[GoogleCodeExporter]

A PoC (source and SWF) are attached, along with a screenshot of the rendering 
of the uninitialized content into a Bitmap.

Sometimes, the PoC will render just a black image. To get things a bit more 
leaky, I found that playing a Flash video in a second tab whilst refreshing the 
PoC seems to do the trick reliably.

Unfortunately, this appears to be an incorrect fix for 
https://code.google.com/p/google-security-research/issues/detail?id=319. Bug 
319 used a zero mask to cause uninitialized memory, and that PoC does seem to 
be fixed. This latest PoC uses a non-zero but non-complete mask to achieve a 
similar affect.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by cev...@google.com on 12 May 2015 at 7:24

Attachments:

• shaderjobleak2.png
• ShaderJobLeak2.as
• ShaderJobLeak2.swf

[GoogleCodeExporter]

Original comment by cev...@google.com on 12 May 2015 at 9:03

• Added labels: Id-3674

[GoogleCodeExporter]

Original comment by cev...@google.com on 4 Jun 2015 at 9:22

• Added labels: CVE-2015-3108

[GoogleCodeExporter]

https://helpx.adobe.com/security/products/flash-player/apsb15-11.html

Original comment by cev...@google.com on 9 Jun 2015 at 5:45

• Changed state: Fixed

[GoogleCodeExporter]

Original comment by cev...@google.com on 26 Jun 2015 at 7:30

• Added labels: Fixed-2015-Jun-9

[GoogleCodeExporter]

Original comment by cev...@google.com on 26 Jun 2015 at 7:30

• Removed labels: Restrict-View-Commit