1323 - Adobe Flash: Out-of-bounds read in applyToRange - project-zero

Starred by 2 users

Status:	Fixed
Owner:	natashenka@google.com
Closed:	Sep 25
Cc:	project-...@google.com
Finder-natashenka Deadline-90 CCProjectZeroMembers Product-Flash Vendor-Adobe Severity-Moderate Finder-mjurczyk Methodology-Fuzzing Reported-2017-Jul-6 CVE-2017-11282

Adobe Flash: Out-of-bounds read in applyToRange

Project Member Reported by natashenka@google.com, Jul 6

Back to list

The attached fuzzed file causes an out-of-bounds read in TextFormat.applyToRange.


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

operator.swf
2.2 KB Download

Project Member Comment 1 by natashenka@google.com, Sep 25

Labels: -Restrict-View-Commit CVE-2017-11282
Status: Fixed

Comment 2 by mitja.ko...@acrossecurity.com, Sep 27

Hey Natalie, did you fuzz this manually? The SWF looks like you took a section of bytes from the original SWF and overwritten another part of the SWF with it.

Comment 3 by mitja.ko...@acrossecurity.com, Sep 29

To anyone interested, we wrote a free micropatch for this vulnerability - just 7 CPU instructions. You can see it in action here: https://www.youtube.com/watch?v=6iZnIQbRf5M. Let us know if you need any help in reproducing the vuln or playing with our micropatch.

► Sign in to add a comment