|
|
Adobe Flash out-of-bounds memory read while parsing a mutated TTF file embedded in SWF | |||||
| Project Member Reported by mjurczyk@google.com, May 4 2015 | Back to list | |||||
The following access violation was observed in the Adobe Flash Player plugin: (1ba8.1c60): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for FlashPlayer.exe - eax=0004c800 ebx=00000000 ecx=08982000 edx=00002588 esi=00001200 edi=0042d46c eip=017723c0 esp=0042d278 ebp=0042d3c4 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x254f0: 017723c0 8b0408 mov eax,dword ptr [eax+ecx] ds:002b:089ce800=???????? 0:000> kb ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 0042d3c4 0177cfaf 0042d3e0 0042d46c 00000001 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x254f0 0042d3ec 0177d112 0042d414 0042d46c 00001376 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x300df 0042d424 0177d4c2 0042d454 0042d46c 00000006 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x30242 0042d4e0 0176ec7a 00000000 0042d540 03497440 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x305f2 0042d544 01788715 08875020 47535542 6c61746e FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x21daa 0042d7d8 01775c95 0042d814 01775f31 01775f41 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x3b845 0042d7e0 01775f31 01775f41 03497440 00000000 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x28dc5 0042d828 017834d2 03497440 00000000 00000030 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x29061 00000000 00000000 00000000 00000000 00000000 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x36602 0:000> db ecx 08982000 35 00 00 00 01 00 00 00-00 00 00 00 00 00 00 ff 5............... 08982010 00 00 00 00 00 00 00 00-01 00 00 00 00 00 00 00 ................ 08982020 80 a4 b7 01 00 00 00 00-00 00 00 00 00 10 00 00 ................ 08982030 00 00 00 00 18 a8 b7 01-20 50 87 08 00 00 00 00 ........ P...... 08982040 03 30 02 00 49 00 00 00-01 00 00 00 00 00 00 00 .0..I........... 08982050 00 00 00 ff 00 00 00 00-00 00 00 00 01 00 00 00 ................ 08982060 00 00 00 00 80 a4 b7 01-00 00 00 00 00 00 00 00 ................ 08982070 00 10 00 00 00 00 00 00-18 a8 b7 01 20 50 87 08 ............ P.. 0:000> !address ecx [...] Usage: <unknown> Base Address: 08906000 End Address: 08990000 Region Size: 0008a000 State: 00001000 MEM_COMMIT Protect: 00000004 PAGE_READWRITE Type: 00020000 MEM_PRIVATE Allocation Base: 087f0000 Allocation Protect: 00000001 PAGE_NOACCESS Notes: - Reliably reproduces with latest Adobe Flash Player Projector for Windows and Google Chrome for Windows. - The out-of-bounds read appears to be caused by an overly large index value (stored in the "EAX" register at the time of the crash) relative to a dynamically allocated buffer pointed to by "ECX". - The 32-bit value read from the unmapped memory address is in fact a pointer, and is used to immediately read 12 bytes from in one function up the call chain. - Attached samples: signal_sigsegv_7ffff710e9d3_881_11431348555663755408.ttf.swf (crashing file), 11431348555663755408.ttf.swf (original file). This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
Project Member
Comment 1
by
mjurczyk@google.com,
May 6 2015
,
Jul 1 2015
Fixing a mistake in the Reported label to reflect the actual date of report.
,
Aug 11 2015
,
Aug 11 2015
,
Aug 18 2015
Fixed in https://helpx.adobe.com/security/products/flash-player/apsb15-19.html.
,
Aug 18 2015
You wouldn't happen to have the embedded ttf as a separate file, would you? |
||||||
| ► Sign in to add a comment | ||||||
