450 - Flash: information leak into video canvas; rendering of non-deterministic content that apparently contains pointers - project-zero

Starred by 2 users

Status:	Fixed
Owner:	hawkes@google.com
Closed:	Sep 2015
Cc:	scarybea...@gmail.com project-...@google.com
CVE-2015-5576 Severity-Medium Reported-2015-Jun-15 Deadline-90 Deadline-Grace Finder-hawkes Deadline-Exceeded CCProjectZeroMembers Finder-cevans Product-Flash Vendor-Adobe Finder-mjurczyk Id-3830

Flash: information leak into video canvas; rendering of non-deterministic content that apparently contains pointers

Reported by cevans@google.com, Jun 16 2015

Back to list

The attached fuzzed mp4 file can be loaded in Flash using the attached utility like this:

http://localhost/LoadMP4.swf?file=video_renders_ptrs.mp4

It takes a few seconds to settle, either rendering a black screen or some apparent out-of-bounds content. To maximize the chances of seeing some out-of-bounds content, run the PoC a few times in parallel.

Some nice pictures are attached illustrating what a pointer looks like on 32-bit Windows vs. 64-bit Windows 7 vs. 64-bit Linux :D


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

video_renders_ptrs.mp4
7.0 MB Download

	ptrs_win7_32bit.png 1.7 KB View Download

LoadMP4.as
1.0 KB Download

	ptrs_linux_64bit.png 2.6 KB View Download

	ptrs_win7_64bit.png 1.6 KB View Download

Comment 1 by cevans@google.com, Jun 17 2015

Labels: Id-3830

PSIRT-3830

Project Member Comment 2 by hawkes@google.com, Aug 21 2015

Owner: hawkes@google.com

Project Member Comment 3 by hawkes@google.com, Sep 21 2015

Cc: scarybea...@gmail.com
Labels: CVE-2015-5576 Deadline-Exceeded Deadline-Grace
Status: Fixed

Fixed in APSB15-23

Project Member Comment 4 by mjurczyk@google.com, Mar 21 2016

Labels: -Restrict-View-Commit

► Sign in to add a comment