New issue
Advanced search Search tips
Issue 438
Starred by 3 users
Status: Fixed
Owner:
hawkes@google.com
Closed: Sep 2015
Cc:
scarybea...@gmail.com
project-...@google.com



Sign in to add a comment
 Flash: use-after-free in video decoding
Reported by cevans@google.com, Jun 9 2015 Back to list 
There is an apparent use-after-free in video decoding, which can be manifesting by running a specific SWF file, e.g.

http://localhost/video_uaf.swf

Where the SWF may be downloaded here in a zip:

https://drive.google.com/open?id=0B-_usSLlqH60SU1IR3EtTjBFdUU&authuser=0
(The file is too big to attach here)

The zip is public but this password is not: 39e96d70b540650b

Unfortunately, the issue takes a while to manifest. You should observe the Flash process running at 100% CPU, after which it will terminate with an access violation. Sample crash traces to follow.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
Comment 1 by cevans@google.com, Jun 9 2015 
(It takes perhaps 1-2 minutes for the crash to trigger)

Here is an example of how the crash appears on Linux x64 in Chrome. I've also verified that similar "wild pointer" crashes are seen in Chrome on Windows, both 32-bit and 64-bit.

   0x00007f0f83b1fef8:	lea    (%rax,%rdi,1),%rdi
=> 0x00007f0f83b1fefc:	mov    0x8(%rdi),%rax

rax            0xffffffffffffffff	-1
rdi            0xf	15

At the time of the crash, there's a wide variety of register content between runs, leading to a suspicion of use-after-free.
Comment 2 by cevans@google.com, Jun 10 2015
Labels: Id-3804
PSIRT-3804
Project Member Comment 3 by hawkes@google.com, Aug 21 2015
Owner: hawkes@google.com
Project Member Comment 4 by hawkes@google.com, Sep 21 2015
Cc: scarybea...@gmail.com
Labels: CVE-2015-5584 Deadline-Exceeded Deadline-Grace
Status: Fixed
Fixed in APSB15-23
Project Member Comment 5 by mjurczyk@google.com, Mar 21 2016
Labels: -Restrict-View-Commit
Sign in to add a comment