Skia and Firefox: Integer overflow in SkTDArray leading to out-of-bounds write(CVE-2018-5159)

Skia bug report: https://bugs.chromium.org/p/skia/issues/detail?id=7674 Mozilla bug report: https://bugzilla.mozilla.org/showbug.cgi?id=1441941 In Skia, SkTDArray stores length fCount and capacity fReserve as 32-bit ints and does not perform any integer overflow checks. There are a couple of plac...

Skia and Firefox - Integer Overflow in SkTDArray Leading to Out-of-Bounds Write

!-- Skia bug report: https://bugs.chromium.org/p/skia/issues/detail?id=7674 Mozilla bug report: https://bugzilla.mozilla.org/showbug.cgi?id=1441941 In Skia, SkTDArray stores length fCount and capacity fReserve as 32-bit ints and does not perform any integer overflow checks. There are a couple of...

Skia / Firefox SkTDArray Integer Overflow

Skia and Firefox: Integer overflow in SkTDArray leading to out-of-bounds write CVE-2018-5159 Skia bug report: https://bugs.chromium.org/p/skia/issues/detail?id=7674 Mozilla bug report: https://bugzilla.mozilla.org/showbug.cgi?id=1441941 In Skia, SkTDArray stores length fCount and capacity fReserv...

Microsoft Windows - 'IOCTL_DISK_GET_DRIVE_LAYOUT_EX' Kernel partmgr Pool Memory Disclosure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1159 We have discovered that the handler of the IOCTLDISKGETDRIVELAYOUTEX IOCTL in partmgr.sys discloses portions of uninitialized pool memory to user-mode clients. The issue can be reproduced by running the attached...