There is a memory corruption due a wild memmove() in the G711 codec. I think it affects all Flash builds except the Pepper plug-in (as used by Chrome). Specifically, run the PoC against Flash in Internet Explorer, and a crash is observed.

The PoC is the attachment EmbedSoundG711.swf. Press the "Play" button to trigger the crash. (This bug can be triggered without user interaction, I just happened to base the crafted attack file on a SWF that uses a button.)

EmbedSoundG711.swf is based on EmbedSound.swf (also attached), with the difference that a byte 0x2b is changed to 0x8f. This has the affect of changing codec selection to G711. Note that EmbedSound.swf is simply an uncompressed copy of the demo SWF in the "Embedded Sounds" section at http://help.adobe.com/en_US/flex/using/WS2db454920e96a9e51e63e3d11c0bf60546-7ff2.html

Interestingly, although the crash is in memmove() with a small negative value for "length", this would appear exploitable. In some of the mutated test cases we've observed, the crash occurs not in memmove(), but in another thread that is busy parsing and rendering, where its structures have been trashed by the in-process memmove().

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
 

EmbedSoundG711.swf 566 KB Download

EmbedSound.swf 566 KB Download