New issue
Advanced search Search tips
Starred by 2 users
Status: Fixed
Owner:
Closed: Sep 2015
Cc:



Sign in to add a comment
Flash: corrupt stack leading to misaligned XMM instruction decoding h.264
Reported by cevans@google.com, Jun 16 2015 Back to list
The attached fuzzed mp4 file can be loaded in Flash using the attached utility like this:

http://localhost/LoadMP4.swf?file=recon_wild.mp4

The resulting crash on Linux x64 looks like this:

=> 0x00007f0f838780b6:	paddsw (%rax),%xmm0

Where the crash is because rax is not aligned to 16-bytes:
rax            0x7f0f7bf125f8	139704480638456

But the cause would appear to be nefarious on account of a stack that confuses gdb:

#0  0x00007f0f838780b6 in ?? ()
   from /opt/google/chrome/PepperFlash/libpepflashplayer.so
#1  0x00007f0f7bf01380 in ?? ()
#2  0x00007f0f7bf125f8 in ?? ()
#3  0x00007f0f7bf0ffe0 in ?? ()
#4  0x00007f0f7bf125f8 in ?? ()
#5  0x00007f0f7bf0ffe0 in ?? ()
#6  0x00007f0f838eb197 in ?? ()
   from /opt/google/chrome/PepperFlash/libpepflashplayer.so
#7  0x00007f0f838f032f in ?? ()
   from /opt/google/chrome/PepperFlash/libpepflashplayer.so
#8  0x00007f0f838879a0 in ?? ()
   from /opt/google/chrome/PepperFlash/libpepflashplayer.so
#9  0x00007f0f94ff3ee5 in start_thread () from /lib64/libpthread.so.0
#10 0x00007f0f93a51d1d in clone () from /lib64/libc.so.6

And the non-code pointers in the trace seem to point to the stack section:

7f0f7b59d000-7f0f7c347000 rw-p 00000000 00:00 0                          [stack: 2148]

The crash also fires similarly on 32-bit Windows, it just takes a little longer.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 
LoadMP4.as
1.0 KB Download
Comment 1 by cevans@google.com, Jun 16 2015
Correction:
http://localhost/LoadMP4.swf?file=weird_stack_xmm.mp4
weird_stack_xmm.mp4
8.0 MB Download
Comment 2 by cevans@google.com, Jun 17 2015
Labels: Id-3827
PSIRT-3827
Project Member Comment 3 by hawkes@google.com, Aug 21 2015
Owner: hawkes@google.com
Project Member Comment 4 by hawkes@google.com, Sep 21 2015
Cc: scarybea...@gmail.com
Labels: CVE-2015-5579 Deadline-Exceeded Deadline-Grace
Status: Fixed
Fixed in APSB15-23
Project Member Comment 5 by mjurczyk@google.com, Mar 21 2016
Labels: -Restrict-View-Commit
Sign in to add a comment