New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 634238 link

Starred by 1 user
Status: Fixed
Owner:
smori...@adobe.com
Last visit > 30 days ago
Closed: Aug 2016
Cc:
raymes@chromium.org
ihf@chromium.org
adobe-flash@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: Adobe Flash Button.blendMode setter uninitialized stack variable

Reported by xiong12...@gmail.com, Aug 4 2016 
VULNERABILITY DETAILS

This is an uninitialized stack variable vulnerability.
When you call Button.blendMode property setter without any parameters, the program will still try to access the first parameter, which will be an uninitialized stack variable.

var btn = this.attachMovie("MyButton", "btn", 0);
ASnative(105, 11).call(btn); // call Button.blendMode setter, without passing any parameters


VERSION
Chrome Version: 53.0.2785.34 beta-m (64-bit)
Operating System: Windows 7 Home 64-bit

REPRODUCTION CASE

To reproduce the issue, please open "TestButton.swf" with chrome.


FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION

Type of crash: tab


Crash State: 


(66c.1c80): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\53.0.2785.34\PepperFlash\pepflashplayer.dll - 
pepflashplayer!PPP_ShutdownBroker+0x2ea700:
000007fe`dbaabcb0 f20f1000        movsd   xmm0,mmword ptr [rax] ds:0000044a`06000000=????????????????
4:037> k
Child-SP          RetAddr           Call Site
00000000`0023d440 000007fe`dbada342 pepflashplayer!PPP_ShutdownBroker+0x2ea700
00000000`0023d490 000007fe`dbabb169 pepflashplayer!PPP_ShutdownBroker+0x318d92
00000000`0023d4c0 000007fe`dba08051 pepflashplayer!PPP_ShutdownBroker+0x2f9bb9
00000000`0023d500 000007fe`db9db398 pepflashplayer!PPP_ShutdownBroker+0x246aa1
00000000`0023d6f0 000007fe`dbabb8c9 pepflashplayer!PPP_ShutdownBroker+0x219de8
00000000`0023d750 000007fe`dba08051 pepflashplayer!PPP_ShutdownBroker+0x2fa319
00000000`0023d840 000007fe`dbc3bbef pepflashplayer!PPP_ShutdownBroker+0x246aa1
00000000`0023da40 000007fe`dba41ec6 pepflashplayer!PPP_ShutdownBroker+0x47a63f
00000000`0023e170 000007fe`dba4355f pepflashplayer!PPP_ShutdownBroker+0x280916
00000000`0023e1d0 000007fe`db9e3be9 pepflashplayer!PPP_ShutdownBroker+0x281faf
00000000`0023e490 000007fe`dba19f47 pepflashplayer!PPP_ShutdownBroker+0x222639
00000000`0023e4c0 000007fe`dba6869e pepflashplayer!PPP_ShutdownBroker+0x258997
00000000`0023e510 000007fe`db7dbf0e pepflashplayer!PPP_ShutdownBroker+0x2a70ee
00000000`0023e5a0 000007fe`db81a399 pepflashplayer!PPP_ShutdownBroker+0x1a95e
00000000`0023e7b0 000007fe`db81ac7b pepflashplayer!PPP_ShutdownBroker+0x58de9
00000000`0023e800 000007fe`db81ad8a pepflashplayer!PPP_ShutdownBroker+0x596cb
00000000`0023e8a0 000007fe`db81a7dc pepflashplayer!PPP_ShutdownBroker+0x597da
00000000`0023e8d0 000007fe`d639913c pepflashplayer!PPP_ShutdownBroker+0x5922c
00000000`0023e900 000007fe`d6398447 chrome_child!ovly_debug_event+0x5ad7c
00000000`0023e930 000007fe`d6398382 chrome_child!ovly_debug_event+0x5a087


4:037> lmvm pepflashplayer
start             end                 module name
    Image name: pepflashplayer.dll
    Timestamp:        Wed Jun 29 09:36:00 2016 (57732600)
    CheckSum:         01E192DF
    ImageSize:        01F0F000
    File version:     22.0.0.209
    Product version:  22.0.0.209
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0



Credit:
Yuki Chen of Qihoo 360Vulcan Team
TestButton.swf
27.3 KB Download

Comment 1 by raymes@chromium.org, Aug 5 2016

Cc: raymes@chromium.org adobe-flash@chromium.org ihf@chromium.org
Components: Internals>Plugins>Flash
Labels: Security_Severity-Medium Security_Impact-Beta OS-Windows Pri-1
Owner: smori...@adobe.com
Status: Assigned (was: Unconfirmed)
Thanks for the report. I can't repro the crash on M53 but you've provided a good description so Adobe folks may be able to take a look at it. It would help even more if you could provide a crash ID (look in chrome://crashes
Project Member

Comment 2 by sheriffbot@chromium.org, Aug 5 2016

Labels: M-53
Project Member

Comment 3 by sheriffbot@chromium.org, Aug 5 2016

Labels: ReleaseBlock-Stable

Comment 4 by smori...@adobe.com, Aug 6 2016

Status: Fixed (was: Assigned)
Our engineer found this is already fixed. Here is the comment from the engineer:

I tested the latest build 23_0_d0_129 and confirmed it is now a UTR.
Further testing shows that CL 57212 is the last CL that fixes the bug. Here are my findings:

- With build 23_0_d0_115, I was able to repro the bug in Firefox/IE/Chrome 64-bit on Win7, Firefox/Chrome 64-bit on Win8.1, as well as Firefox 64-bit on Win10.
- However, with CL 56671 in build 23_0_d0_116, the bug is only reproducible in Firefox/IE 64-bit on Win7 and Firefox 64-bit on Win10.
- Then, with CL 57212 in build 23_0_d0_123, the bug is no longer reproducible in all browsers configs tested.

So for Google, the latest beta 23.0.0.126 we delivered to them on Wednesday already has the fix.
Project Member

Comment 5 by sheriffbot@chromium.org, Aug 6 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 6 Deleted

Comment 7 Deleted

Comment 8 by awhalley@chromium.org, Sep 23 2016

Labels: reward-NA
Project Member

Comment 9 by sheriffbot@chromium.org, Sep 23 2016

Labels: Merge-Request-54

Comment 10 by dimu@chromium.org, Sep 24 2016

Labels: -Merge-Request-54 Merge-Approved-54 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M54 (branch: 2840)

Comment 11 by raymes@chromium.org, Sep 25 2016

Labels: -Merge-Approved-54
I'm not sure if we need to merge here. Beta already seems to have 23.0.0.173
Project Member

Comment 12 by sheriffbot@chromium.org, Nov 12 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment