323 - Flash: integer overflow / memory corruption with excessive number of shader input channels - project-zero

Starred by 2 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Jun 2015
Cc:	project-...@google.com
Deadline-90 Fixed-2015-Jun-9 CVE-2015-3104 CCProjectZeroMembers Finder-cevans Product-Flash Severity-High Vendor-Adobe Id-3570 Reported-2015-Apr-8

Flash: integer overflow / memory corruption with excessive number of shader input channels

Reported by cevans@google.com, Apr 8 2015

Back to list

Running the attached PoC causes memory corruption, of this variety (Linux x64):

Program received signal SIGSEGV, Segmentation fault.
0x00007fad00ae9c2e in ?? ()
=> 0x00007fad00ae9c2e:	mov    0x350(%rax),%eax
rax            0x4141414141414141	4702111234474983745

The PoC spews 0x41 fairly indiscriminately on to the heap so it's little surprise we hit a pointer.


The width and height (8192 x 8192) are multiplied by 64 (a value in the shader), leading to integer overflow and subsequent havoc.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

ShaderInputOverflow.swf
951 bytes Download

ShaderInputOverflow.as
1.3 KB Download

Comment 1 by cevans@google.com, Apr 14 2015

Labels: Id-3570

Comment 2 by cevans@google.com, Jun 4 2015

Labels: CVE-2015-3104

Comment 3 by cevans@google.com, Jun 9 2015

Status: Fixed

https://helpx.adobe.com/security/products/flash-player/apsb15-11.html

Comment 4 by cevans@google.com, Jun 26 2015

Labels: Fixed-2015-Jun-9

Comment 5 by cevans@google.com, Jun 26 2015

Labels: -Restrict-View-Commit

► Sign in to add a comment