The attached fuzzed mp4 file can be loaded in Flash using the attached utility like this:
http://localhost/LoadMP4.swf?file=decomp_filter.mp4
NOTE: loading this file rarely results in a crash but when it does:
The resulting crash on Linux x64 looks like this:
=> 0x00007f0f836671ec: movsd (%rsi),%xmm0
rsi 0x7f0f7499ec80 139704357481600
7f0f7498f000-7f0f7499e000 rw-p 00000000 00:00 0
7f0f7499e000-7f0f74c1f000 ---p 00000000 00:00 0
It's an out-of-bounds read and there's a suspicion that the out-of-bounds content might be recoverable using Sound.extract() or a similar API.
When the crash does not occur (as is the dominant case), you can still tell that something is wrong because the sound degenerates in to noise after 2 seconds and by refreshing the sample many times, you can hear that the noise is non-deterministic. (Run additional Flash content such as animations or videos to exacerbate this effect.)
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
