264 - Flash: memory corruption with excessive CEA-708 data block length - project-zero

Starred by 2 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Apr 2015
Cc:	project-...@google.com
Deadline-90 CVE-2015-0355 Reported-2015-Feb-16 Id-3313 CCProjectZeroMembers Finder-cevans Product-Flash Severity-High Vendor-Adobe

Flash: memory corruption with excessive CEA-708 data block length

Reported by cevans@google.com, Feb 16 2015

Back to list

To reproduce, host the attached SWF and other files on a web server (e.g. localhost) and load it like this:

http://localhost/PlayManifest.swf?file=caption.m3u8

On 32-bit Chrome on Windows, v40.0.2214.111, WinDbg sees the crash like this:

6deb64eb 8b01     mov    eax,dword ptr [ecx]  ds:002b:41414141=????????
                  call   dword ptr [eax+3Ch]

Looks like vtable dispatch to me, with an attacker controlled "this" pointer.

This is the protocol in question: http://en.wikipedia.org/wiki/CEA-708


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

PlayManifest.as
1.9 KB Download

PlayManifest.swf
7.4 KB Download

caption.m3u8
158 bytes Download

prog_index_caption.m3u8
168 bytes Download

caption.ts
7.7 KB Download

Comment 1 by cevans@google.com, Feb 17 2015

Labels: Id-3313

Comment 2 by cevans@google.com, Apr 10 2015

Labels: CVE-2015-0355

Comment 3 by cevans@google.com, Apr 14 2015

Status: Fixed

Fixed: https://helpx.adobe.com/security/products/flash-player/apsb15-06.html

Comment 4 by cevans@google.com, Apr 30 2015

Labels: -Restrict-View-Commit

► Sign in to add a comment