116 - Flash heap buffer overflow calling Camera.copyToByteArray() with a large ByteArray - project-zero

Starred by 2 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Nov 2014
Cc:	wfh@google.com project-...@google.com
Severity-Medium Deadline-90 Finder-external Id-3053 Reported-2014-Sep-24 CCProjectZeroMembers Product-Flash CVE-2014-0582 Vendor-Adobe Fixed-2014-Nov-11

Flash heap buffer overflow calling Camera.copyToByteArray() with a large ByteArray

Reported by cevans@google.com, Sep 24 2014

Back to list

This bug came out of a conversation with Nicolas Joly. I don't feel comfortable claiming any credit but I'll happily take on the co-ordination.
i.e. please credit simply "Nicolas Joly"

This is extremely similar to https://code.google.com/p/google-security-research/issues/detail?id=46

The main difference is that in order to trigger the bug, it is necessary for the user to click through the camera permission dialog, which lowers the severity.

Source and compiled SWF attached. Faults my Chrome Linux x64 every time, Flash v15.0.0.152.

Note that you'll need to click "ok" on all the permission dialogs before a timer fires at the 2 second mark. If you miss, just refresh and try again.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

CameraCopyToByteArrayBug.swf
898 bytes Download

CameraCopyToByteArrayBug.as
942 bytes Download

Comment 1 by cevans@google.com, Sep 24 2014

Labels: Id-3053

Project Member Comment 2 by ianbeer@google.com, Oct 28 2014

Cc: wfh@google.com

Comment 3 by cevans@google.com, Nov 8 2014

Labels: CVE-2014-0582

Comment 4 by cevans@google.com, Nov 20 2014

Labels: -Restrict-View-Commit Fixed-2014-Nov-11
Status: Fixed

http://helpx.adobe.com/security/products/flash-player/apsb14-24.html

► Sign in to add a comment