|
|
Adobe Flash: buffer overflow in Sound.extract() | |||
| Reported by cevans@google.com, Mar 25 2015 | Back to list | |||
Please find the attached PoC and source file, which should show the issue cleanly. On Linux x64, it crashes this: #0 0x00007f7babfb3bac in __memmove_ssse3_back () from /lib64/libc.so.6 #1 0x00007f7b9af328cb in ?? () from /opt/google/chrome/PepperFlash/libpepflashplayer.so #2 0x00007f7b9adcc329 in ?? () (gdb) x/i $rip => 0x7f7babfb3bac <__memmove_ssse3_back+7084>: movdqa %xmm1,-0x10(%rdi) (gdb) p/x $rdi $1 = 0x7f7b996d9000 (gdb) p/x $rsi $2 = 0x7f7b946c2f00 (gdb) p $rcx $4 = 524224 It's faulting on a read but I'm pretty sure both the read and write are way out of bounds. I reproduced this with APIFuzz (not yet released), this hits it for me reliably: http://localhost/APIFuzz.html?log=1&fuzzclass=flash.media::Sound&iters=100000&yieldcount=100000&seed=9 It doesn't crash in the actual extract() call, but some number of iterations later. This is more evidence that this is a memory corruption and not just an out-of-bounds read. This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
Comment 1
by
cevans@google.com,
Mar 25 2015
,
Mar 25 2015
,
Apr 10 2015
,
Apr 14 2015
,
Apr 30 2015
|
||||
| ► Sign in to add a comment | ||||
