The attached fuzzed mp4 file can be loaded in Flash using the attached utility like this:
http://localhost/LoadMP4.swf?file=recon_wild.mp4
The resulting crash on Linux x64 looks like this:
=> 0x00007f0f838780b6: paddsw (%rax),%xmm0
Where the crash is because rax is not aligned to 16-bytes:
rax 0x7f0f7bf125f8 139704480638456
But the cause would appear to be nefarious on account of a stack that confuses gdb:
#0 0x00007f0f838780b6 in ?? ()
from /opt/google/chrome/PepperFlash/libpepflashplayer.so
#1 0x00007f0f7bf01380 in ?? ()
#2 0x00007f0f7bf125f8 in ?? ()
#3 0x00007f0f7bf0ffe0 in ?? ()
#4 0x00007f0f7bf125f8 in ?? ()
#5 0x00007f0f7bf0ffe0 in ?? ()
#6 0x00007f0f838eb197 in ?? ()
from /opt/google/chrome/PepperFlash/libpepflashplayer.so
#7 0x00007f0f838f032f in ?? ()
from /opt/google/chrome/PepperFlash/libpepflashplayer.so
#8 0x00007f0f838879a0 in ?? ()
from /opt/google/chrome/PepperFlash/libpepflashplayer.so
#9 0x00007f0f94ff3ee5 in start_thread () from /lib64/libpthread.so.0
#10 0x00007f0f93a51d1d in clone () from /lib64/libc.so.6
And the non-code pointers in the trace seem to point to the stack section:
7f0f7b59d000-7f0f7c347000 rw-p 00000000 00:00 0 [stack: 2148]
The crash also fires similarly on 32-bit Windows, it just takes a little longer.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
8.0 MB Download