| Issue 63: | Browser Plugin SRPC Input Marshalling Type Confusion Vulnerability | |
| 4 people starred this issue and may be notified of changes. | Back to list |
Sign in to add a comment
|
Team: Beached As NACL applications that receive handles as input verify that the Javascript variables being passed are indeed objects. However, there is no verification that the object being passed is actually an UnknownHandle object. An arbitrary object type can be passed and will be erroneously cast to an UnknownHandle object, which leads to invalid memory access and potential arbitrary execution. The sample program crashes trying to jump to an invalid location in memory (which varies depending on the state of the heap at the time).
|
|||||||||||||
,
Mar 25, 2009
Verified as an issue.
Status: Accepted
Owner: s...@google.com Labels: Type-Defect |
||||||||||||||
,
Apr 10, 2009
Fix was released in build 57.
Status: Fixed
|
||||||||||||||
 Sign in to add a comment
|
||||||||||||||
