Flash: memory corruption with ShaderJob width and height TOCTOU condition

sla-cker / google-security-research

Automatically exported from code.google.com/p/google-security-research

0 stars 0 forks source link

Flash: memory corruption with ShaderJob width and height TOCTOU condition #318

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

The attached PoC, with source, should illustrate.

The condition of interest seems to be setting off an asynchronous ShaderJob and 
then modifying the width / height before the shader threads complete. It looks 
like a TOCTOU.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by cev...@google.com on 3 Apr 2015 at 11:41

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 6 Apr 2015 at 11:40

Added labels: Id-3563

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 7 May 2015 at 12:40

Added labels: CVE-2015-3090

GoogleCodeExporter commented 9 years ago

https://helpx.adobe.com/security/products/flash-player/apsb15-09.html

Original comment by cev...@google.com on 12 May 2015 at 6:30

Changed state: Fixed
Added labels: Fixed-2015-May-12

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 26 Jun 2015 at 7:30

Removed labels: Restrict-View-Commit