The attached sample file, signal_sigsegv_7ffff637297a_8900_e3f87b25c25db8f9ec3c975f8c1211cc.swf, crashes, perhaps relating to XML handling.

The crash looks like this on Linux x64:

=> 0x00007f6931226f22:	mov    0x8(%rcx),%eax
rcx            0x303030303030300	217020518514230016

The wider context shows that the wild pointer target can be incremented with this vulnerability, which is typically enough for an exploit:

=> 0x00007f6931226f22:	mov    0x8(%rcx),%eax    <--- read
   0x00007f6931226f25:	test   %eax,%eax
   0x00007f6931226f27:	je     0x7f6931226f80
   0x00007f6931226f29:	test   $0x40000000,%eax
   0x00007f6931226f2e:	jne    0x7f6931226f80
   0x00007f6931226f30:	add    $0x1,%eax         <--- increment
   0x00007f6931226f33:	cmp    $0xff,%al
   0x00007f6931226f35:	mov    %eax,0x8(%rcx)    <--- write back

The base sample from which this fuzz case was generated is also attached, e3f87b25c25db8f9ec3c975f8c1211cc.swf


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 

e3f87b25c25db8f9ec3c975f8c1211cc.swf 38.5 KB Download

signal_sigsegv_7ffff637297a_8900_e3f87b25c25db8f9ec3c975f8c1211cc.swf 38.5 KB Download