Microsoft Windows - win32k.sys TTF Processing win32k!sbit_Embolden win32k!ttfdCloseFontContext Use-After-Free (MS16-120)

Microsoft Windows - win32k.sys TTF Processing win32k!sbitEmbolden win32k!ttfdCloseFontContext Use-After-Free MS16-120 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=868 We have encountered Windows kernel crashes in the win32k!sbitEmbolden and win32k!ttfdCloseFontContext functio...

Microsoft Windows - 'win32k.sys' TTF Processing RCVT TrueType Instruction Handler Out-of-Bounds Read (MS16-120)

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=864 We have encountered a number of Windows kernel crashes in the win32k!itrpGetCVTEntryFast function called by the handler of the RCVT TrueType instruction while processing corrupted TTF font files, such as: ---...

Microsoft Windows - 'win32k.sys' TTF Processing win32k!sbit_Embolden / win32k!ttfdCloseFontContext Use-After-Free (MS16-120)

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=868 We have encountered Windows kernel crashes in the win32k!sbitEmbolden and win32k!ttfdCloseFontContext functions while processing corrupted TTF font files. Excerpts of them are shown below: --- KERNELMODEEXCEPTIONNOTHANDLED 8e...

Microsoft Windows - Kernel win32k.sys TTF Processing EBLC / EBSC Tables Pool Corruption (MS16-039)

Exploit for windows platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=684 We have encountered a Windows kernel crash in the win32k.sys driver while processing a corrupted TTF font file. An example of a crash log excerpt generated after triggering the...

Microsoft Windows Kernel - win32k.sys TTF Processing EBLC EBSC Tables Pool Corruption (MS16-039)

Microsoft Windows Kernel - win32k.sys TTF Processing EBLC EBSC Tables Pool Corruption MS16-039 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=684 We have encountered a Windows kernel crash in the win32k.sys driver while processing a corrupted TTF font file. An example of a cras...