Credit is to "Jihui Lu of KeenTeam (@K33nTeam), working with the Chromium vulnerability reward program"

Flash player 15.0.0.239 in Chrome 39 Linux x64.

This bug is hard to categorize; I'm thinking that it might be a bad cast issue after a debugging session. The impact seems to differ per-platform but be fairly deterministic per-platform. On Linux x64, I commonly see a NULL pointer dereference. Other platforms show clearer evidence of corruption; attaching a windbg log from the researcher on 32-bit Windows.

I also attach apparent variants.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 

display_list_mc6.swf 4.5 KB Download

display_list_mc1.swf 17.3 KB Download

display_list_mc8.swf 17.3 KB Download

chrome.txt 2.5 KB View Download