Credit is to "Nils Sommer of bytegeist, working with Google Project Zero".

Platform: Win7 32-bit.
trigger.cpp should fire the issue, with two caveats:
- PoC will NOT work if compiled as a debug build.
- PoC will trigger the condition every time but the subsequent corruption might not cause a crash every time. It may be necessary to run the PoC multiple times.

debug.txt is a sample crash log.

Analysis from Nils:

---
Using the series of calls we are able to free the bitmap object, a reference to this object still exists in the trigger process after killing the first notepad process.

At this time we are able to replace the freed object in memory. We are not able to reuse this object through the original handle, however another free is triggered when quitting the trigger process, which will decrement the reference counter on the freed or replaced object, either modifying heap metadata or freeing the object which was allocated in the place of the original bitmap object.
---

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 

debug.txt 4.3 KB View Download

trigger.cpp 1.2 KB Download