New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 261
Starred by 2 users
Status: Fixed
Owner:
cevans@google.com
Email to this user bounced
Closed: May 2015
Cc:
project-...@google.com



Sign in to add a comment
 Flash: memory corruption with large mp4 atom sizes
Reported by cevans@google.com, Feb 10 2015 Back to list 
To reproduce, host the attached SWF and other files on a web server (e.g. localhost) and load it like this:

http://localhost/PlayManifest.swf?file=avcC.mpd

The fault condition varies significantly by platform:
- On 64-bit Chrome OS, an OOM condition occurs.
- On 32-bit Windows, an OOM condition occurs.
- On 64-bit Windows, I believe there's a memory corruption condition. Here's some windbg evidence that a wild copy is going on:

000007fe`ed069230 ...   mov r9, qword ptr [rdx+rcx-8] ds:ffffffff`82054037

And the following assembler does look like an unrolled memcpy() implementation -- it loads r9 and r10 repeatedly, interspersed with movnti instructions to do stores. There's even a bit of prefetchnta going on.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
avcC.mpd
622 bytes Download
PlayManifest.as
1.8 KB Download
avcC.mp4
64.0 KB Download
PlayManifest.swf
7.4 KB Download
Comment 1 by cevans@google.com, Feb 11 2015
Labels: Id-3296
Comment 2 by cevans@google.com, May 5 2015
Labels: Deadline-Exceeded Deadline-Grace
Patch is expected May 12th, which is one day after the deadline expires (Sunday May 10th -> bumped to Monday), and well within the grace period.
Comment 3 by cevans@google.com, May 7 2015
Labels: CVE-2015-3078
Comment 4 by cevans@google.com, May 12 2015
Labels: Fixed-2015-May-12
Status: Fixed
https://helpx.adobe.com/security/products/flash-player/apsb15-09.html
Comment 5 by cevans@google.com, Jun 26 2015
Labels: -Restrict-View-Commit
Sign in to add a comment