318 - Flash: memory corruption with ShaderJob width and height TOCTOU condition - project-zero

Starred by 2 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	May 2015
Cc:	project-...@google.com
Deadline-90 Fixed-2015-May-12 Id-3563 CCProjectZeroMembers Finder-cevans Product-Flash Severity-High Vendor-Adobe Reported-2015-Apr-3 CVE-2015-3090

Flash: memory corruption with ShaderJob width and height TOCTOU condition

Reported by cevans@google.com, Apr 3 2015

Back to list

The attached PoC, with source, should illustrate.

The condition of interest seems to be setting off an asynchronous ShaderJob and then modifying the width / height before the shader threads complete. It looks like a TOCTOU.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

ShaderJobTOCTOU.swf
775 bytes Download

ShaderJobTOCTOU.as
840 bytes Download

Comment 1 by cevans@google.com, Apr 6 2015

Labels: Id-3563

Comment 2 by cevans@google.com, May 7 2015

Labels: CVE-2015-3090

Comment 3 by cevans@google.com, May 12 2015

Labels: Fixed-2015-May-12
Status: Fixed

https://helpx.adobe.com/security/products/flash-player/apsb15-09.html

Comment 4 by cevans@google.com, Jun 26 2015

Labels: -Restrict-View-Commit

► Sign in to add a comment