| |
ID ▼ |
Type ▼ |
Status ▼ |
Priority ▼ |
Milestone ▼ |
Owner ▼ |
Summary + Labels ▼ |
... |
|
|
43 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash leak of uninitialized data whilst rendering JPEGs
|
|
|
|
44 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash leak of uninitialized data whilst rendering a 2-component JPEG
|
|
|
|
45 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash leak of uninitialized memory when rendering valid(?) 1bpp image
|
|
|
|
46 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash heap buffer overflow calling copyPixelsToByteArray() on a large ByteArray
CCProjectZeroMembers
|
|
|
|
47 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash leak of uninitialized data when image zlib stream ends prematurely
CCProjectZeroMembers
|
|
|
|
48 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash leak of uninitialized data when JPEG image alpha channel zlib stream ends prematurely
CCProjectZeroMembers
|
|
|
|
71 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash out-of-bounds read in uploadCompressedTextureFromByteArray()
CCProjectZeroMembers
|
|
|
|
75 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash out-of-bounds read with empty ID3 tag
CCProjectZeroMembers
|
|
|
|
76 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash memory corruption (double free?) with RTMP packet that aborts itself
CCProjectZeroMembers
|
|
|
|
78 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash memory corruption (integer overflow?) concatenating strings to ~4GB in size
CCProjectZeroMembers
|
|
|
|
79 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash out-of-bounds read with large string length in RTMP packet
CCProjectZeroMembers
|
|
|
|
82 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash out-of-bounds read in uploadCompressedTextureFromByteArray() [CubeTexture variant]
CCProjectZeroMembers
|
|
|
|
88 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Linux kernel stack overflow when mounting ISO9660 image, including via a USB stick
CCProjectZeroMembers
|
|
|
|
122 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash memory corruption in the G711 codec with 4-byte samples
CCProjectZeroMembers
|
|
|
|
124 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash memory corruption when upper casing malformed Unicode
CCProjectZeroMembers
|
|
|
|
125 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash corruption after corrupting pre-validated bytecode
CCProjectZeroMembers
|
|
|
|
131 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash write crash at NULL + 0x2b288 (on 64-bit)
CCProjectZeroMembers
|
|
|
|
165 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
UaF on Adobe's Flash
CCProjectZeroMembers
|
|
|
|
246 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: out-of-bounds write with mp4 file missing a track
CCProjectZeroMembers
|
|
|
|
251 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: memory corruption with mp4 file with lots of "trex" tags
CCProjectZeroMembers
|
|
|
|
253 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: out-of-bounds write with mp4 file missing a track (alternate mp4 parser)
CCProjectZeroMembers
|
|
|
|
256 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: memory corruption with -1 length string in titl tag
CCProjectZeroMembers
|
|
|
|
261 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: memory corruption with large mp4 atom sizes
CCProjectZeroMembers
|
|
|
|
264 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: memory corruption with excessive CEA-708 data block length
CCProjectZeroMembers
|
|
|
|
265 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: memory corruption with CEA-708 screen cursor going off-screen
CCProjectZeroMembers
|
|
|
|
266 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: memory corruption with large length in EAC3 packet
CCProjectZeroMembers
|
|
|
|
268 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: memory corruption with excessive dimensions in H264
CCProjectZeroMembers
|
|
|
|
276 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: not great ASLR for the Flash heap on Win7 64-bit
CCProjectZeroMembers
|
|
|
|
300 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Adobe Flash: buffer overflow in Sound.extract()
CCProjectZeroMembers
|
|
|
|
318 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: memory corruption with ShaderJob width and height TOCTOU condition
CCProjectZeroMembers
|
|
|
|
319 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: uninitialized memory information leak when shading into a ByteArray
CCProjectZeroMembers
|
|
|
|
322 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: info leak due to uninitialized registers when executing Shaders
CCProjectZeroMembers
|
|
|
|
323 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: integer overflow / memory corruption with excessive number of shader input channels
CCProjectZeroMembers
|
|
|
|
324 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: out-of-bounds write in ShaderParameter resolution
CCProjectZeroMembers
|
|
|
|
361 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Adobe Flash out-of-bounds memory read while parsing a mutated SWF file
CCProjectZeroMembers
|
|
|
|
362 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Adobe Flash out-of-bounds memory read while parsing a mutated SWF file
CCProjectZeroMembers
|
|
|
|
363 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Adobe Flash out-of-bounds memory read while parsing a mutated TTF file embedded in SWF
CCProjectZeroMembers
|
|
|
|
375 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: uninitialized memory information leak when shading into a ByteArray (#2)
CCProjectZeroMembers
|
|
|
|
378 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: out-of-bounds read in UTF conversion
CCProjectZeroMembers
|
|
|
|
396 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: wild pointer crash in drawing and bitmap handling
CCProjectZeroMembers
|
|
|
|
397 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: wild pointer crash after continuing slow script
CCProjectZeroMembers
|
|
|
|
398 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: bad dereference at 0x23c on Linux x64
CCProjectZeroMembers
|
|
|
|
399 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: wild pointer in button handling
CCProjectZeroMembers
|
|
|
|
400 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: wild pointer crash in XML handling
CCProjectZeroMembers
|
|
|
|
404 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: bad / wild write in XML when callback modifies XML tree unexpectedly during property delete
CCProjectZeroMembers
|
|
|
|
425 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: heap-based buffer overflow loading FLV file with Nellymoser audio codec
CCProjectZeroMembers
|
|
|
|
426 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: heap-based buffer overflow due to indexing error when loading FLV file
CCProjectZeroMembers
|
|
|
|
432 |
----
|
Duplicate
|
----
|
----
|
hawkes@google.com
|
Flash: wild read on audio thread
CCProjectZeroMembers
|
|
|
|
438 |
----
|
Fixed
|
----
|
----
|
hawkes@google.com
|
Flash: use-after-free in video decoding
CCProjectZeroMembers
|
|
|
|
446 |
----
|
Fixed
|
----
|
----
|
hawkes@google.com
|
Flash: wild pointer 0x1808121a502959a4 decoding h.264
CCProjectZeroMembers
|
|
|
|
447 |
----
|
Fixed
|
----
|
----
|
hawkes@google.com
|
Flash: corrupt stack leading to misaligned XMM instruction decoding h.264
CCProjectZeroMembers
|
|
|
|
448 |
----
|
Fixed
|
----
|
----
|
hawkes@google.com
|
Flash: out-of-bounds crash due to negative table indexing error loading 8-byte wide value
CCProjectZeroMembers
|
|
|
|
449 |
----
|
Fixed
|
----
|
----
|
hawkes@google.com
|
Flash: out-of-bounds read in AAC audio handling
CCProjectZeroMembers
|
|
|
|
450 |
----
|
Fixed
|
----
|
----
|
hawkes@google.com
|
Flash: information leak into video canvas; rendering of non-deterministic content that apparently contains pointers
CCProjectZeroMembers
|
|
|
|
452 |
----
|
Fixed
|
----
|
----
|
hawkes@google.com
|
Flash: wild write at 0x453b0cf0 in color conversion
CCProjectZeroMembers
|
|
|
|
482 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: bypass of Vector.<uint> length vs. cookie validation
CCProjectZeroMembers
|
|
|
|
503 |
----
|
Fixed
|
----
|
----
|
hawkes@google.com
|
libstagefright integer overflow and heap corruption with saio tag
CCProjectZeroMembers
|
|