New issue
Advanced search Search tips
Starred by 2 users
Status: Fixed
Owner:
Closed: Sep 2015
Cc:



Sign in to add a comment
Flash: information leak into video canvas; rendering of non-deterministic content that apparently contains pointers
Reported by cevans@google.com, Jun 16 2015 Back to list
The attached fuzzed mp4 file can be loaded in Flash using the attached utility like this:

http://localhost/LoadMP4.swf?file=video_renders_ptrs.mp4

It takes a few seconds to settle, either rendering a black screen or some apparent out-of-bounds content. To maximize the chances of seeing some out-of-bounds content, run the PoC a few times in parallel.

Some nice pictures are attached illustrating what a pointer looks like on 32-bit Windows vs. 64-bit Windows 7 vs. 64-bit Linux :D


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 
video_renders_ptrs.mp4
7.0 MB Download
ptrs_win7_32bit.png
1.7 KB View Download
LoadMP4.as
1.0 KB Download
ptrs_linux_64bit.png
2.6 KB View Download
ptrs_win7_64bit.png
1.6 KB View Download
Comment 1 by cevans@google.com, Jun 17 2015
Labels: Id-3830
PSIRT-3830
Project Member Comment 2 by hawkes@google.com, Aug 21 2015
Owner: hawkes@google.com
Project Member Comment 3 by hawkes@google.com, Sep 21 2015
Cc: scarybea...@gmail.com
Labels: CVE-2015-5576 Deadline-Exceeded Deadline-Grace
Status: Fixed
Fixed in APSB15-23
Project Member Comment 4 by mjurczyk@google.com, Mar 21 2016
Labels: -Restrict-View-Commit
Sign in to add a comment