Flash leak of uninitialized memory when rendering valid(?) 1bpp image

telnetgmike / google-security-research

Automatically exported from code.google.com/p/google-security-research

0 stars 0 forks source link

Flash leak of uninitialized memory when rendering valid(?) 1bpp image #45

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

A SWF to reproduce is attached, along with source. To reproduce, host the 
additional resource SWF "imglossless1bpp.swf" on the same web server / 
directory as Lossless1bppLeak.swf

This bug is a strange one. I think the 1bpp image is reasonably well-formed and 
valid: it has a 2-color color table (black and white), and enough image data to 
fill the entire 64x64 1bpp canvas. Despite this, a multi-color image is 
rendered, which clearly contains some uninitialized data.

Maybe 1bpp image support is broken? I'm not really sure what's going on other 
than the definite observation of uninitialized memory content leaking to script.

A screenshot is attached for convenience.

Original issue reported on code.google.com by cev...@google.com on 14 Jul 2014 at 7:02

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 14 Jul 2014 at 7:04

Changed title: Flash leak of uninitialized memory when rendering valid(?) 1bpp image

GoogleCodeExporter commented 9 years ago

(test)

Original comment by cev...@google.com on 14 Jul 2014 at 7:12

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 14 Jul 2014 at 7:14

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 15 Jul 2014 at 5:22

Added labels: Id-2888

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 21 Aug 2014 at 3:30

Added labels: CVE-2014-0543

GoogleCodeExporter commented 9 years ago

Bulletin: http://helpx.adobe.com/security/products/flash-player/apsb14-18.html

Original comment by cev...@google.com on 21 Aug 2014 at 3:36

Added labels: Fixed-2014-Aug-12

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 21 Aug 2014 at 10:01

Removed labels: Restrict-View-Commit

GoogleCodeExporter commented 9 years ago

Blogged about here: 
http://googleprojectzero.blogspot.com/2014/08/what-does-pointer-look-like-anyway
.html

Marking as Fixed since the patch is available since > 1 week.

Original comment by cev...@google.com on 21 Aug 2014 at 10:09

Changed state: Fixed