[This is largely identical to https://code.google.com/p/google-security-research/issues/detail?id=71 with the difference that the errant API is called on CubeTexture instead of Texture]
A SWF to reproduce is attached, along with source. Note that the SWF must be loaded by an HTML embed (file also attached) so that wmode="direct" can be set in order to get the 3D APIs to work.
This is probably due to an integer overflow.
Note that this bug is almost certainly 64-bit only. The PoC relies on an allocation that is almost 4GB in size, and obviously such an allocation is never going to succeed in a 32-bit address space.
Also, the bug does not work in Chrome 64-bit Linux, because Chrome 64-bit Linux has a defense that limits total allocations to 4GB. The PoC still crashes the Flash process in Chrome, presumably due to a NULL pointer.
In order to repro fully, try 64-bit Flash in 64-bit IE, or run Chrome 64-bit Linux with the --no-sandbox flag (which disables the 4GB limit).
|
CompressedCubeTextureUploadBug.as
2.3 KB
Download
|
|
|
CompressedCubeTextureUploadBugEmbed.html
130 bytes
View
Download
|
|
|
CompressedCubeTextureUploadBug.swf
1.1 KB
Download
|