239 - Flash: out-of-bounds write in shader handling - project-zero

Starred by 3 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Apr 2015
Cc:	█ lv.sam...@gmail.com █ woo...@gmail.com project-...@google.com
Id-3258 Deadline-90 Finder-external Finder-keen Reported-2015-Jan-27 CCProjectZeroMembers Product-Flash Severity-High Vendor-Adobe CVE-2015-3041

Flash: out-of-bounds write in shader handling

Reported by cevans@google.com, Jan 28 2015

Back to list

Credit is to "Jihui Lu of KeenTeam (@K33nTeam), working with the Chromium vulnerability reward program"

Flash Player 16.0.0.296 in Chrome 40 Linux x64

Crashes are all over the place, due to heap corruption. Attaching 4 PoCs although I believe they are all the same root cause.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

PBJ3.swf
1.3 KB Download

PBJ4.swf
1.2 KB Download

PBJ1.swf
1.3 KB Download

PBJ2.swf
1.2 KB Download

Comment 1 by cevans@google.com, Jan 28 2015

Labels: Id-3258

Comment 2 by cevans@google.com, Mar 26 2015

Cc: woo...@gmail.com lv.sam...@gmail.com

Comment 3 by cevans@google.com, Apr 10 2015

Labels: CVE-2015-3041

Comment 4 by cevans@google.com, Apr 14 2015

Status: Fixed

Fixed: https://helpx.adobe.com/security/products/flash-player/apsb15-06.html

Comment 5 by cevans@google.com, May 6 2015

Labels: -Restrict-View-Commit

Reward tracking: https://code.google.com/p/chromium/issues/detail?id=470753

► Sign in to add a comment