A SWF to reproduce is attached, along with source. To reproduce, host JPEGLeak2.swf on the same web server / directory as twocomps.jpg. A screenshot of the PoC in action is also attached.
twocomps.jpg is a weird JPEG file that has all sorts of problems (truncated, etc.,) but the main problem is that no software really knows how to handle 2-component JPEGs, as these do not exist in the wild. It looks like Flash's response to not knowing how to handle it is to leave the image canvas uninitialized. This can be a significant security issue.
The PoC goes most of the way to pulling a pointer value (ASLR defeat) out of the uninitialized canvas -- for the 64-bit Linux platform. But you can get the point just by refreshing the PoC a lot and seeing the rendered content change.
Since it's very easy to use this vulnerability to read uninitialized memory content, a 90-day disclosure deadline applies.
