113 - Flash 14 on IE11, readAV crash on xmm instruction - project-zero

Starred by 3 users

Status:	Fixed
Owner:	█ fjserna@google.com Last visit > 30 days ago
Closed:	Dec 2014
Cc:	hawkes@google.com ifratric@google.com █ cevans@google.com █ sunda...@adobe.com mjurczyk@google.com project-...@google.com
Cluster-Winfuzz ISE-TPS-bug Deadline-90 CVE-2014-0587 Reported-2014-Sep-22 Fixed-2014-Dec-9 CCProjectZeroMembers Product-Flash Vendor-Adobe Finder-Fermin

Flash 14 on IE11, readAV crash on xmm instruction

Reported by fjserna@google.com, Sep 22 2014

Back to list


Crashlog of the attached file... reliably crashing Flash on IE11 (latest bits as of Sep-22-2014) with pageheap enabled.

Credit to Fermin (fuzzing, triage and infrastructure).
Credit to Ivan, Ben, Mateusz for corpus set

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "c:\Program Files\Internet Explorer\iexplore.exe" c:\winfuzz\gfuzz_agent\tmp\4b8e5dbac4e74ba5bfc3afcf1d5a9da7.swf
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is: 
ModLoad: 00000001`3fef0000 00000001`3ffb6000   iexplore.exe
ModLoad: 00000000`77880000 00000000`77a29000   ntdll.dll
ModLoad: 000007fe`f2d70000 000007fe`f2dde000   C:\Windows\system32\verifier.dll
Page heap: pid 0xC18: page heap enabled with flags 0x3.
ModLoad: 00000000`77760000 00000000`7787f000   C:\Windows\system32\kernel32.dll
ModLoad: 000007fe`fd6b0000 000007fe`fd71c000   C:\Windows\system32\KERNELBASE.dll
ModLoad: 00000000`77660000 00000000`7775a000   C:\Windows\system32\USER32.dll
ModLoad: 000007fe`fe340000 000007fe`fe3a7000   C:\Windows\system32\GDI32.dll
ModLoad: 000007fe`ffb80000 000007fe`ffb8e000   C:\Windows\system32\LPK.dll
ModLoad: 000007fe`fe7c0000 000007fe`fe889000   C:\Windows\system32\USP10.dll
ModLoad: 000007fe`ff980000 000007fe`ffa1f000   C:\Windows\system32\msvcrt.dll
ModLoad: 000007fe`fd730000 000007fe`fd735000   C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
ModLoad: 000007fe`fe6e0000 000007fe`fe7bb000   C:\Windows\system32\advapi32.DLL
ModLoad: 000007fe`ff960000 000007fe`ff97f000   C:\Windows\SYSTEM32\sechost.dll
ModLoad: 000007fe`fdb90000 000007fe`fdcbd000   C:\Windows\system32\RPCRT4.dll
ModLoad: 000007fe`fb270000 000007fe`fb274000   C:\Windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
ModLoad: 000007fe`feb70000 000007fe`ff8f8000   C:\Windows\system32\shell32.DLL
ModLoad: 000007fe`fead0000 000007fe`feb41000   C:\Windows\system32\SHLWAPI.dll
ModLoad: 000007fe`fde80000 000007fe`fe12f000   C:\Windows\system32\iertutil.dll
ModLoad: 000007fe`fd720000 000007fe`fd724000   C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
ModLoad: 000007fe`fc770000 000007fe`fc77c000   C:\Windows\system32\version.DLL
ModLoad: 000007fe`fd9f0000 000007fe`fd9f4000   C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
ModLoad: 000007fe`fda40000 000007fe`fda43000   C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
ModLoad: 00000000`77a50000 00000000`77a53000   C:\Windows\system32\normaliz.DLL
ModLoad: 000007fe`fd830000 000007fe`fd834000   C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
ModLoad: 000007fe`fdb60000 000007fe`fdb8e000   C:\Windows\system32\IMM32.DLL
ModLoad: 000007fe`fda50000 000007fe`fdb59000   C:\Windows\system32\MSCTF.dll
ModLoad: 000007fe`fd4f0000 000007fe`fd4ff000   C:\Windows\system32\CRYPTBASE.DLL
ModLoad: 000007fe`ed240000 000007fe`edf3b000   C:\Windows\system32\IEFRAME.dll
ModLoad: 000007fe`fe130000 000007fe`fe333000   C:\Windows\system32\ole32.dll
ModLoad: 000007fe`ffa20000 000007fe`ffaf7000   C:\Windows\system32\OLEAUT32.dll
ModLoad: 000007fe`fc0b0000 000007fe`fc2a4000   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll
ModLoad: 000007fe`f2fd0000 000007fe`f302c000   c:\Program Files\Internet Explorer\IEShims.dll
ModLoad: 000007fe`fe3b0000 000007fe`fe447000   C:\Windows\system32\comdlg32.dll
ModLoad: 000007fe`fdcc0000 000007fe`fde2c000   C:\Windows\system32\urlmon.dll
ModLoad: 000007fe`fd820000 000007fe`fd824000   C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
ModLoad: 000007fe`fe890000 000007fe`feacb000   C:\Windows\system32\WININET.dll
ModLoad: 000007fe`fd800000 000007fe`fd81e000   C:\Windows\system32\USERENV.dll
ModLoad: 000007fe`fd6a0000 000007fe`fd6af000   C:\Windows\system32\profapi.dll
ModLoad: 000007fe`ef0d0000 000007fe`ef118000   C:\Program Files\Internet Explorer\sqmapi.dll
ModLoad: 000007fe`fd2a0000 000007fe`fd2ab000   C:\Windows\system32\Secur32.dll
ModLoad: 000007fe`fd460000 000007fe`fd485000   C:\Windows\system32\SSPICLI.DLL
ModLoad: 000007fe`fa2e0000 000007fe`fa2e4000   C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
ModLoad: 000007fe`fde30000 000007fe`fde7d000   C:\Windows\system32\WS2_32.dll
ModLoad: 000007fe`fe630000 000007fe`fe638000   C:\Windows\system32\NSI.dll
ModLoad: 000007fe`f9cb0000 000007fe`f9d21000   C:\Windows\system32\winhttp.dll
ModLoad: 000007fe`f99f0000 000007fe`f9a54000   C:\Windows\system32\webio.dll
ModLoad: 000007fe`fb260000 000007fe`fb264000   C:\Windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
ModLoad: 000007fe`fce30000 000007fe`fce85000   C:\Windows\system32\mswsock.dll
ModLoad: 000007fe`fce20000 000007fe`fce27000   C:\Windows\System32\wship6.dll
ModLoad: 000007fe`fb890000 000007fe`fb8b7000   C:\Windows\system32\IPHLPAPI.DLL
ModLoad: 000007fe`fb850000 000007fe`fb85b000   C:\Windows\system32\WINNSI.DLL
ModLoad: 000007fe`fe640000 000007fe`fe6d9000   C:\Windows\system32\CLBCatQ.DLL
ModLoad: 000007fe`f7880000 000007fe`f78f4000   C:\Windows\System32\netprofm.dll
ModLoad: 000007fe`fc090000 000007fe`fc0a5000   C:\Windows\System32\nlaapi.dll
ModLoad: 000007fe`fce90000 000007fe`fcea7000   C:\Windows\system32\CRYPTSP.dll
ModLoad: 000007fe`fcb90000 000007fe`fcbd7000   C:\Windows\system32\rsaenh.dll
ModLoad: 000007fe`fd5a0000 000007fe`fd5b4000   C:\Windows\system32\RpcRtRemote.dll
ModLoad: 000007fe`f76c0000 000007fe`f76cc000   C:\Windows\System32\npmproxy.dll
ModLoad: 000007fe`f2c90000 000007fe`f2d46000   C:\Program Files\Internet Explorer\ieproxy.dll
ModLoad: 000007fe`fd840000 000007fe`fd9ac000   C:\Windows\system32\CRYPT32.dll
ModLoad: 000007fe`fd690000 000007fe`fd69f000   C:\Windows\system32\MSASN1.dll
ModLoad: 000007fe`ee4d0000 000007fe`ee564000   C:\Windows\system32\IEUI.dll
ModLoad: 000007fe`fbf50000 000007fe`fbfa6000   C:\Windows\system32\UxTheme.dll
ModLoad: 000007fe`fb080000 000007fe`fb0d4000   C:\Windows\system32\oleacc.dll
ModLoad: 000007fe`fb350000 000007fe`fb4b1000   C:\Windows\system32\windowscodecs.dll
ModLoad: 000007fe`fb820000 000007fe`fb838000   C:\Windows\system32\dwmapi.dll
ModLoad: 000007fe`fe450000 000007fe`fe627000   C:\Windows\system32\SETUPAPI.dll
ModLoad: 000007fe`fda00000 000007fe`fda36000   C:\Windows\system32\CFGMGR32.dll
ModLoad: 000007fe`fd7e0000 000007fe`fd7fa000   C:\Windows\system32\DEVOBJ.dll
ModLoad: 000007fe`fa320000 000007fe`fa4ea000   C:\Windows\system32\explorerframe.dll
ModLoad: 000007fe`fbb00000 000007fe`fbb43000   C:\Windows\system32\DUser.dll
ModLoad: 000007fe`fbbc0000 000007fe`fbcb2000   C:\Windows\system32\DUI70.dll
ModLoad: 000007fe`fd490000 000007fe`fd4e7000   C:\Windows\system32\apphelp.dll
ModLoad: 000007fe`fb290000 000007fe`fb297000   C:\Windows\system32\MSIMG32.dll
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is: 
ModLoad: 00000000`013a0000 00000000`01466000   iexplore.exe
ModLoad: 00000000`77880000 00000000`77a29000   ntdll.dll
ModLoad: 00000000`77a60000 00000000`77be0000   ntdll32.dll
ModLoad: 00000000`00080000 00000000`000ee000   C:\Windows\system32\verifier.dll
Page heap: pid 0xB20: page heap enabled with flags 0x3.
ModLoad: 00000000`74090000 00000000`740cf000   C:\Windows\SYSTEM32\wow64.dll
ModLoad: 00000000`74030000 00000000`7408c000   C:\Windows\SYSTEM32\wow64win.dll
ModLoad: 00000000`74020000 00000000`74028000   C:\Windows\SYSTEM32\wow64cpu.dll
ModLoad: 00000000`77760000 00000000`7787f000   WOW64_IMAGE_SECTION
ModLoad: 00000000`75ca0000 00000000`75db0000   WOW64_IMAGE_SECTION
ModLoad: 00000000`77760000 00000000`7787f000   NOT_AN_IMAGE
ModLoad: 00000000`77660000 00000000`7775a000   NOT_AN_IMAGE
ModLoad: 00000000`752d0000 00000000`75330000   C:\Windows\syswow64\verifier.dll
Page heap: pid 0xB20: page heap enabled with flags 0x3.
ModLoad: 00000000`75ca0000 00000000`75db0000   C:\Windows\syswow64\kernel32.dll
ModLoad: 00000000`77440000 00000000`77487000   C:\Windows\syswow64\KERNELBASE.dll
ModLoad: 00000000`77140000 00000000`771ec000   C:\Windows\syswow64\msvcrt.dll
ModLoad: 00000000`77430000 00000000`77435000   C:\Windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
ModLoad: 00000000`772e0000 00000000`77380000   C:\Windows\syswow64\advapi32.DLL
ModLoad: 00000000`77200000 00000000`77219000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 00000000`75bb0000 00000000`75ca0000   C:\Windows\syswow64\RPCRT4.dll
ModLoad: 00000000`75450000 00000000`754b0000   C:\Windows\syswow64\SspiCli.dll
ModLoad: 00000000`75440000 00000000`7544c000   C:\Windows\syswow64\CRYPTBASE.dll
ModLoad: 00000000`76c90000 00000000`76eab000   C:\Windows\syswow64\iertutil.dll
ModLoad: 00000000`77a30000 00000000`77a34000   C:\Windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
ModLoad: 00000000`75420000 00000000`75429000   C:\Windows\SysWOW64\version.DLL
ModLoad: 00000000`75950000 00000000`75954000   C:\Windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
ModLoad: 00000000`76a30000 00000000`76b30000   C:\Windows\syswow64\user32.DLL
ModLoad: 00000000`75b20000 00000000`75bb0000   C:\Windows\syswow64\GDI32.dll
ModLoad: 00000000`75510000 00000000`7551a000   C:\Windows\syswow64\LPK.dll
ModLoad: 00000000`774d0000 00000000`7756d000   C:\Windows\syswow64\USP10.dll
ModLoad: 00000000`772d0000 00000000`772d3000   C:\Windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
ModLoad: 00000000`75b10000 00000000`75b13000   C:\Windows\syswow64\normaliz.DLL
ModLoad: 00000000`77390000 00000000`77394000   C:\Windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
ModLoad: 00000000`775a0000 00000000`775f7000   C:\Windows\syswow64\shlwapi.DLL
ModLoad: 77600000 77660000   C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 75880000 7594c000   C:\Windows\syswow64\MSCTF.dll
ModLoad: 75410000 75414000   C:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dll
ModLoad: 75de0000 76a2a000   C:\Windows\syswow64\shell32.DLL
ModLoad: 72520000 7305f000   C:\Windows\SysWOW64\IEFRAME.dll
ModLoad: 76b30000 76c8c000   C:\Windows\syswow64\ole32.dll
ModLoad: 757f0000 7587f000   C:\Windows\syswow64\OLEAUT32.dll
ModLoad: 74d80000 74f1e000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
ModLoad: 753c0000 75402000   C:\Program Files (x86)\Internet Explorer\IEShims.dll
ModLoad: 77220000 7729b000   C:\Windows\syswow64\comdlg32.dll
ModLoad: 771f0000 771f4000   C:\Windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
ModLoad: 75520000 756e2000   C:\Windows\syswow64\WININET.dll
ModLoad: 757d0000 757e7000   C:\Windows\syswow64\USERENV.dll
ModLoad: 75b00000 75b0b000   C:\Windows\syswow64\profapi.dll
ModLoad: 753b0000 753b8000   C:\Windows\SysWOW64\Secur32.dll
ModLoad: 753a0000 753a4000   C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll
ModLoad: 00000000`76ef0000 00000000`7701c000   C:\Windows\syswow64\urlmon.dll
ModLoad: 00000000`76eb0000 00000000`76ee5000   C:\Windows\syswow64\WS2_32.dll
ModLoad: 00000000`77490000 00000000`77496000   C:\Windows\syswow64\NSI.dll
ModLoad: 00000000`6f910000 00000000`6f968000   C:\Windows\SysWOW64\winhttp.dll
ModLoad: 00000000`6f8c0000 00000000`6f90f000   C:\Windows\SysWOW64\webio.dll
ModLoad: 00000000`74fd0000 00000000`7500c000   C:\Windows\SysWOW64\mswsock.dll
ModLoad: 00000000`75390000 00000000`75396000   C:\Windows\SysWOW64\wship6.dll
ModLoad: 00000000`752b0000 00000000`752cc000   C:\Windows\SysWOW64\IPHLPAPI.DLL
ModLoad: 00000000`751c0000 00000000`751c7000   C:\Windows\SysWOW64\WINNSI.DLL
ModLoad: 00000000`74fb0000 00000000`74fc6000   C:\Windows\SysWOW64\CRYPTSP.dll
ModLoad: 00000000`74d40000 00000000`74d7b000   C:\Windows\SysWOW64\rsaenh.dll
ModLoad: 00000000`74fa0000 00000000`74fae000   C:\Windows\SysWOW64\RpcRtRemote.dll
ModLoad: 00000000`773a0000 00000000`77423000   C:\Windows\syswow64\CLBCatQ.DLL
ModLoad: 00000000`740e0000 00000000`74126000   C:\Program Files (x86)\Internet Explorer\ieproxy.dll
ModLoad: 00000000`74f70000 00000000`74f74000   C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
ModLoad: 00000000`6f930000 00000000`6f969000   C:\Program Files (x86)\Internet Explorer\sqmapi.dll
ModLoad: 00000000`74ab0000 00000000`74ac7000   C:\Windows\SysWOW64\bcrypt.dll
ModLoad: 00000000`73f30000 00000000`73f6d000   C:\Windows\SysWOW64\bcryptprimitives.dll
ModLoad: 00000000`71470000 00000000`7251e000   C:\Windows\SysWOW64\MSHTML.dll
ModLoad: 00000000`73be0000 00000000`73f27000   C:\Windows\SysWOW64\d2d1.dll
ModLoad: 00000000`738d0000 00000000`73a05000   C:\Windows\SysWOW64\DWrite.dll
ModLoad: 00000000`73b90000 00000000`73bdc000   C:\Windows\SysWOW64\dxgi.dll
ModLoad: 00000000`738b0000 00000000`738c3000   C:\Windows\SysWOW64\dwmapi.dll
ModLoad: 00000000`75960000 00000000`75afd000   C:\Windows\syswow64\setupapi.dll
ModLoad: 00000000`772a0000 00000000`772c7000   C:\Windows\syswow64\CFGMGR32.dll
ModLoad: 00000000`774a0000 00000000`774b2000   C:\Windows\syswow64\DEVOBJ.dll
ModLoad: 00000000`75db0000 00000000`75dde000   C:\Windows\syswow64\WINTRUST.dll
ModLoad: 00000000`77020000 00000000`77140000   C:\Windows\syswow64\CRYPT32.dll
ModLoad: 00000000`774c0000 00000000`774cc000   C:\Windows\syswow64\MSASN1.dll
ModLoad: 00000000`09e30000 00000000`0aede000   C:\Windows\SysWOW64\mshtml.dll
ModLoad: 00000000`73830000 00000000`738b0000   C:\Windows\SysWOW64\UxTheme.dll
ModLoad: 00000000`0a370000 00000000`0aeaf000   C:\Windows\SysWOW64\ieframe.dll
ModLoad: 00000000`71050000 00000000`71461000   C:\Windows\SysWOW64\jscript9.dll
ModLoad: 00000000`73720000 00000000`7378f000   C:\Windows\SysWOW64\IEUI.dll
ModLoad: 00000000`737d0000 00000000`7382f000   C:\Windows\SysWOW64\SXS.DLL
ModLoad: 00000000`73670000 00000000`73719000   C:\Windows\SysWOW64\ieapfltr.dll
ModLoad: 00000000`75960000 00000000`75afd000   C:\Windows\syswow64\SETUPAPI.dll
ModLoad: 00000000`772a0000 00000000`772c7000   C:\Windows\syswow64\CFGMGR32.dll
ModLoad: 00000000`774a0000 00000000`774b2000   C:\Windows\syswow64\DEVOBJ.dll
ModLoad: 00000000`74f60000 00000000`74f6b000   C:\Windows\SysWOW64\msimtf.dll
ModLoad: 00000000`734f0000 00000000`73665000   C:\Windows\SysWOW64\d3d11.dll
ModLoad: 00000000`70e60000 00000000`71049000   C:\Windows\SysWOW64\D3D10Warp.dll
ModLoad: 00000000`733f0000 00000000`734e5000   C:\Windows\SysWOW64\PROPSYS.dll
ModLoad: 00000000`0d1e0000 00000000`0d2ac000   C:\Windows\SysWOW64\msctf.dll
ModLoad: 00000000`0d2e0000 00000000`0d3ac000   C:\Windows\SysWOW64\msctf.dll
ModLoad: 00000000`733c0000 00000000`733ef000   C:\Windows\SysWOW64\XmlLite.dll
ModLoad: 00000000`6fd10000 00000000`70e5b000   C:\Windows\SysWOW64\Macromed\Flash\Flash32_14_0_0_145.ocx
ModLoad: 00000000`6fcd0000 00000000`6fd02000   C:\Windows\SysWOW64\WINMM.dll
ModLoad: 00000000`6fc50000 00000000`6fcc2000   C:\Windows\SysWOW64\DSOUND.dll
ModLoad: 00000000`6fc20000 00000000`6fc45000   C:\Windows\SysWOW64\POWRPROF.dll
ModLoad: 00000000`74aa0000 00000000`74aa5000   C:\Windows\SysWOW64\MSIMG32.dll
ModLoad: 00000000`6fbf0000 00000000`6fc20000   C:\Windows\SysWOW64\DINPUT8.dll
ModLoad: 00000000`6fb70000 00000000`6fbe9000   C:\Windows\SysWOW64\mscms.dll
ModLoad: 00000000`740d0000 00000000`740d8000   C:\Windows\SysWOW64\credssp.dll
ModLoad: 00000000`6fb30000 00000000`6fb6f000   C:\Windows\SysWOW64\schannel.dll
ModLoad: 00000000`6faf0000 00000000`6fb29000   C:\Windows\SysWOW64\MMDevApi.dll
(b20.10d0): Unknown exception - code 000006ba (first chance)
(b20.10d0): Unknown exception - code 000006ba (first chance)
ModLoad: 00000000`6fac0000 00000000`6faee000   C:\Windows\SysWOW64\MLANG.dll
ModLoad: 00000000`6fa90000 00000000`6fab1000   C:\Windows\SysWOW64\ntmarta.dll
ModLoad: 00000000`756f0000 00000000`75735000   C:\Windows\syswow64\WLDAP32.dll
ModLoad: 00000000`6fa40000 00000000`6fa8c000   C:\Windows\SysWOW64\apphelp.dll
ModLoad: 000007fe`fb8e0000 000007fe`fba0c000   C:\Windows\system32\propsys.dll
ModLoad: 000007fe`fc740000 000007fe`fc76d000   C:\Windows\system32\ntmarta.dll
ModLoad: 000007fe`ff900000 000007fe`ff952000   C:\Windows\system32\WLDAP32.dll
(b20.10d0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
Flash32_14_0_0_145+0xb4055:
6fdc4055 f30f7e0c0f      movq    xmm1,mmword ptr [edi+ecx] ds:002b:0f5dbffc=????????????????
1:019:x86> .sympath SRV*c:\winfuzz\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*c:\winfuzz\symbols*http://msdl.microsoft.com/download/symbols
Expanded Symbol search path is: srv*c:\winfuzz\symbols*http://msdl.microsoft.com/download/symbols
1:019:x86> .reload /f /a
Reloading current modules
..........................................
...............................

Flash32_14_0_0_145
Flash32_14_0_0_145
Flash32_14_0_0_145
Flash32_14_0_0_145
Flash32_14_0_0_145
Flash32_14_0_0_145
Flash32_14_0_0_145!IAEModule_IAEKernel_UnloadModule

1:019:x86> 

1:019:x86> r
eax=00000017 ebx=00000000 ecx=0f5db600 edx=0f4b0000 esi=0f310bb4 edi=000009fc
eip=6fdc4055 esp=090088f0 ebp=09008960 iopl=0         nv up ei ng nz ac po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010293
Flash32_14_0_0_145+0xb4055:
6fdc4055 f30f7e0c0f      movq    xmm1,mmword ptr [edi+ecx] ds:002b:0f5dbffc=????????????????

1:019:x86> .exr -1
ExceptionAddress: 000000006fdc4055 (Flash32_14_0_0_145+0x00000000000b4055)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 000000000f5dc000
Attempt to read from address 000000000f5dc000

1:019:x86> .lastevent
Last event: b20.10d0: Access violation - code c0000005 (first chance)
  debugger time: Thu Sep 18 21:24:17.971 2014 (UTC + 0:00)

1:019:x86> u eip L10
Flash32_14_0_0_145+0xb4055:
6fdc4055 f30f7e0c0f      movq    xmm1,mmword ptr [edi+ecx]
6fdc405a f30f7e2417      movq    xmm4,mmword ptr [edi+edx]
6fdc405f 660f60e0        punpcklbw xmm4,xmm0
6fdc4063 660f60c8        punpcklbw xmm1,xmm0
6fdc4067 660fe9e1        psubsw  xmm4,xmm1
6fdc406b 660f71f404      psllw   xmm4,4
6fdc4070 660fe5e5        pmulhw  xmm4,xmm5
6fdc4074 660fedcc        paddsw  xmm1,xmm4
6fdc4078 660f73db04      psrldq  xmm3,4
6fdc407d 660f7edf        movd    edi,xmm3
6fdc4081 f30f7e240f      movq    xmm4,mmword ptr [edi+ecx]
6fdc4086 f30f7e3c17      movq    xmm7,mmword ptr [edi+edx]
6fdc408b 660f60e0        punpcklbw xmm4,xmm0
6fdc408f 660f60f8        punpcklbw xmm7,xmm0
6fdc4093 660fe9fc        psubsw  xmm7,xmm4
6fdc4097 660f71f704      psllw   xmm7,4

1:019:x86> q
quit:


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

4b8e5dbac4e74ba5bfc3afcf1d5a9da7.swf
5.8 MB Download

Comment 1 by fjserna@google.com, Sep 22 2014

Reported to Adobe.

Fixing credit, it should go to: 

Credit to Fermin (fuzzing, triage and infrastructure).
Credit to Ben and Mateusz for corpus set

Comment 2 by cevans@google.com, Sep 30 2014

Cc: sunda...@adobe.com

Comment 3 by cevans@google.com, Dec 6 2014

Labels: CVE-2014-0587

Project Member Comment 4 by forshaw@google.com, Dec 29 2014

Labels: -Restrict-View-Commit Fixed-2014-Dec-9
Status: Fixed

Fixed in http://helpx.adobe.com/security/products/flash-player/apsb14-27.html

► Sign in to add a comment