Flash: info leak due to uninitialized registers when executing Shaders

[GoogleCodeExporter]

It would appear that when executing a Shader, Flash starts with an 
uninitialized register state. Therefore, if a Shader program fails to load a 
texture or constant or other value into the output register, it is possible to 
leak memory content.

The attached SWF demonstrates this; it may be neccessary to reload the SWF 
multiple times before you get lucky and leak some non-zero memory content. An 
image is attached as an example of what it can look like when the leak triggers 
(Linux x64).

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by cev...@google.com on 8 Apr 2015 at 8:36

Attachments:

• ShaderRegisters.as
• ShaderRegisters.swf
• leak2.png

[GoogleCodeExporter]

Original comment by cev...@google.com on 10 Apr 2015 at 2:55

• Added labels: Id-3569

[GoogleCodeExporter]

Original comment by cev...@google.com on 7 May 2015 at 12:41

• Added labels: CVE-2015-3092

[GoogleCodeExporter]

https://helpx.adobe.com/security/products/flash-player/apsb15-09.html

Original comment by cev...@google.com on 12 May 2015 at 6:30

• Changed state: Fixed
• Added labels: Fixed-2015-May-12

[GoogleCodeExporter]

Original comment by cev...@google.com on 26 Jun 2015 at 7:30

• Removed labels: Restrict-View-Commit