#### VULNERABILITY DETAILS
From /content/renderer/pepper/ppb_flash_message_loop_impl.cc:
```
int32_t PPB_Flash_MessageLoop_Impl::InternalRun(
const RunFromHostProxyCallback& callback) {
(...)
// It is possible that the PPB_Flash_MessageLoop_Impl object has been
// destroyed when the nested message loop exits.
scoped_refptr<State> state_protector(state_);
{
base::MessageLoop::ScopedNestableTaskAllower allow(
base::MessageLoop::current());
base::MessageLoop::current()->Run();
}
(...)
}
```
|PPB_Flash_MessageLoop_Impl::InternalRun| doesn't initialize a ScopedPageLoadDeferrer before spinning an event loop. As a result, cross-origin documents can be loaded at an arbitrary javascript execution point.
#### VERSION
Chrome 47.0.2526.80 (Stable)
Chrome 48.0.2564.41 (Beta)
Chrome 49.0.2587.3 (Dev)
Chromium 49.0.2591.0 + Pepper Flash (Release build compiled today)
附件:[CVE-2016-1631.zip](http://paper.seebug.org/papers/Archive/poc/CVE-2016-1631.zip)
京公网安备 11010502034610号
暂无评论