Full title: Chrome Mojo DataPipe*Dispatcher Deserialization Lacking Validation Exploit 
Category: dos / poc
Platform: windows
Chrome has missing validation in the deserialization routines for both DataPipeConsumerDispatcher and DataPipeProducerDispatcher, which take from the incoming message a read_offset/write_offset respectively into shared memory. Providing an offset outside the bounds of the allocated memory will then result in an out-of-bounds read/write when the pipe is used.

# 0day.today @ http://0day.today/