To reproduce, host the attached SWF and other files on a web server (e.g. localhost) and load it like this:

http://localhost/PlayManifest.swf?file=trex.mpd

This will corrupt some pointers right away and these pointers will be free()d when the stream is torn down. We could of course do this programatically without any user interaction, but for now, just press refresh.

On Chrome Windows Canary 64-bit, windbg sees the crash like this:

000007fe`e7e184d4 486378f8   movsxd rdi,dword ptr [rax-8] ds:44444444`4343433b

In other words, the corrupted pointer passed to free() is attacker-controlled. It is also highly deterministic: I believe that the heap corruption involved does not cross a heap chunk boundary.

To compile the .as file, I had to use special flags to flex:

mxmlc -target-player 14.0 -swf-version 25 -static-link-runtime-shared-libraries ./PlayManifest.as
(This also requires that you have v14.0 of playerglobals.swc installed. Any newer version should also be fine.)


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 

trex.mp4 16.0 KB Download

PlayManifest.as 1.8 KB Download

trex.mpd 622 bytes Download

PlayManifest.swf 7.4 KB Download