448 - Flash: out-of-bounds crash due to negative table indexing error loading 8-byte wide value - project-zero

Starred by 2 users

Status:	Fixed
Owner:	hawkes@google.com
Closed:	Sep 2015
Cc:	scarybea...@gmail.com project-...@google.com
Reported-2015-Jun-15 Deadline-90 CVE-2015-5578 Id-3828 Deadline-Grace Finder-hawkes Deadline-Exceeded CCProjectZeroMembers Finder-cevans Product-Flash Severity-High Vendor-Adobe Finder-mjurczyk

Flash: out-of-bounds crash due to negative table indexing error loading 8-byte wide value

Reported by cevans@google.com, Jun 16 2015

Back to list

The attached fuzzed mp4 file can be loaded in Flash using the attached utility like this:

http://localhost/LoadMP4.swf?file=static_table_neg_index.mp4

The resulting crash on Linux x64 looks like this:

   0x00007f0f8388478b:	lea    0xa0548e(%rip),%rdx        # 0x7f0f84289c20
=> 0x00007f0f83884792:	mov    (%rdx,%rsi,8),%rdx
   0x00007f0f83884796:	mov    %rdx,0x19e48(%rbx)

rdx            0x7f0f84289c20	139704618490912
rsi            0xfffffffffffc0000	-262144

An 8-byte wide value is being loaded from a static table. The suspicion is that it's a function pointer, which could be serious.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

static_table_neg_index.mp4
8.0 MB Download

LoadMP4.as
1.0 KB Download

Comment 1 Deleted

Comment 2 by cevans@google.com, Jun 17 2015

Labels: -Id-3829 Id-3828

PSIRT-3828

Project Member Comment 3 by hawkes@google.com, Aug 21 2015

Owner: hawkes@google.com

Project Member Comment 4 by hawkes@google.com, Sep 21 2015

Cc: scarybea...@gmail.com
Labels: CVE-2015-5578 Deadline-Exceeded Deadline-Grace
Status: Fixed

Fixed in APSB15-23

Project Member Comment 5 by mjurczyk@google.com, Mar 21 2016

Labels: -Restrict-View-Commit

► Sign in to add a comment