432 - Flash: wild read on audio thread - project-zero

Starred by 2 users

Status:	Duplicate
Owner:	hawkes@google.com
Closed:	Sep 2015
Cc:	project-...@google.com
Severity-Medium Reported-2015-Jun-4 Deadline-90 Finder-hawkes CCProjectZeroMembers Finder-cevans Product-Flash Vendor-Adobe Id-3796 Finder-mjurczyk

Flash: wild read on audio thread

Reported by cevans@google.com, Jun 5 2015

Back to list

To reproduce, host the attached files appropriately, and:

http://localhost/LoadMP4.swf?file=crash11077077.flv

If there is no crash at first, refresh the page a few times.

With a debugger attached to 64-bit Flash in Chrome Linux, the crash manifests like this:

=> 0x00007f48556b6050 <__memmove_ssse3_back+80>:	movdqu (%rsi),%xmm0

rsi            0x7f4843b9f000
rdi            0x7f4843b8d000
rdx            0xc18	3096

7f4843144000-7f4843b9f000 rw-p 00000000 00:00 0 
7f4843b9f000-7f4843bcd000 ---p 00000000 00:00 0 


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

crash11077077.flv
8.4 MB Download

LoadMP4.as
1.0 KB Download

LoadMP4.swf
1.0 KB Download

Comment 1 by cevans@google.com, Jun 7 2015

Labels: Id-3796

PSIRT-3796

Project Member Comment 2 by hawkes@google.com, Aug 21 2015

Owner: hawkes@google.com

Project Member Comment 3 by hawkes@google.com, Sep 3 2015

Labels: -Restrict-View-Commit
Status: Duplicate

Duplicate of https://code.google.com/p/google-security-research/issues/detail?id=425

► Sign in to add a comment