A nasty looking crash is manifesting in various different ways under fuzzing, apparently related to drawing and bitmap handling.
A trigger is attached, signal_sigsegv_7ffff5b5aee2_252_0688bbd450e7c095265d00be2fca50ab.swf
The base file from which this fuzz case was generated is attached, 0688bbd450e7c095265d00be2fca50ab.swf
The crash on 64-bit Linux looks like this:
=> 0x00007f69314b8f7d: cmpl $0xc,0x174(%rax)
rax 0x83071500ff0300 36881008741516032
If we trace through the usages of %rax, we can get to some bad writes pretty easily:
=> 0x00007f69314b8f7d: cmpl $0xc,0x174(%rax)
0x00007f69314b8f84: je 0x7f69314b8fa0
...
0x00007f69314b8fa0: mov (%rax),%rdi <-- rdi compromised
0x00007f69314b8fa3: callq 0x7f69314b8810
...
0x00007f69314b8810: mov (%rsi),%edx
0x00007f69314b8812: cmp $0x7ffffff,%edx
0x00007f69314b8818: je 0x7f69314b8862
0x00007f69314b881a: mov 0x10(%rdi),%eax
0x00007f69314b881d: cmp $0x7ffffff,%eax
0x00007f69314b8822: je 0x7f69314b8868
0x00007f69314b8824: sub $0x1,%edx
0x00007f69314b8827: cmp %eax,%edx
0x00007f69314b8829: cmovg %eax,%edx
0x00007f69314b882c: mov 0x14(%rdi),%eax
0x00007f69314b882f: mov %edx,0x10(%rdi) <---- rdi written to
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
|
0688bbd450e7c095265d00be2fca50ab.swf
2.2 MB
Download
|
|
|
signal_sigsegv_7ffff5b5aee2_252_0688bbd450e7c095265d00be2fca50ab.swf
2.2 MB
Download
|