446 - Flash: wild pointer 0x1808121a502959a4 decoding h.264 - project-zero

Starred by 2 users

Status:	Fixed
Owner:	hawkes@google.com
Closed:	Sep 2015
Cc:	scarybea...@gmail.com project-...@google.com
Severity-Medium Reported-2015-Jun-15 Deadline-90 Deadline-Grace Finder-hawkes Deadline-Exceeded CCProjectZeroMembers Finder-cevans Product-Flash Vendor-Adobe CVE-2015-5580 Id-3826 Finder-mjurczyk

Flash: wild pointer 0x1808121a502959a4 decoding h.264

Reported by cevans@google.com, Jun 15 2015

Back to list

The attached fuzzed mp4 file can be loaded in Flash using the attached utility like this:

http://localhost/LoadMP4.swf?file=cabac_wild.mp4

The resulting crash is surprisingly deterministic on Linux x64, always looking like this:

   0x00007f0f83912c70:	mov    %rsi,0x418(%rdi)
=> 0x00007f0f83912c77:	movzbl (%rsi),%edx

rsi            0x1808121a502959a4	1731653960947292580

It's the value of rsi that is always surprisingly similar.

Filing as a "medium" severity issue because it's only immediately obvious that the pointer is used for byte-by-byte reads.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

cabac_wild.mp4
5.0 MB Download

LoadMP4.as
1.0 KB Download

Comment 1 by cevans@google.com, Jun 17 2015

Labels: Id-3826

PSIRT-3826

Project Member Comment 2 by hawkes@google.com, Aug 21 2015

Owner: hawkes@google.com

Project Member Comment 3 by hawkes@google.com, Sep 21 2015

Cc: scarybea...@gmail.com
Labels: CVE-2015-5580 Deadline-Exceeded Deadline-Grace
Status: Fixed

Fixed in APSB15-23

Project Member Comment 4 by mjurczyk@google.com, Mar 21 2016

Labels: -Restrict-View-Commit

► Sign in to add a comment