452 - Flash: wild write at 0x453b0cf0 in color conversion - project-zero

Starred by 2 users

Status:	Fixed
Owner:	hawkes@google.com
Closed:	Sep 2015
Cc:	scarybea...@gmail.com project-...@google.com
Reported-2015-Jun-15 Deadline-90 Id-3831 Deadline-Grace Finder-hawkes Deadline-Exceeded CVE-2015-5575 CCProjectZeroMembers Finder-cevans Product-Flash Severity-High Vendor-Adobe Finder-mjurczyk

Flash: wild write at 0x453b0cf0 in color conversion

Reported by cevans@google.com, Jun 16 2015

Back to list

The attached fuzzed flv file can be loaded in Flash using the attached utility like this:

http://localhost/LoadMP4.swf?file=yuv.flv

It crashes on both Linux x64 and Windows 32-bit, interestingly with the same pointer value:

=> 0x00007f0f83b21591:	movdqu %xmm7,0x10(%rax)

rax            0x453b0cf0	1161497840
xmm7:          uint128 = 0xff7f827fff7f827fff7f827fff7f827f

That pointer value is unlikely to be mapped on 64-bit, but it's in a readily reachable location on 32-bit. Changing the input file might get better control of rax -- this has not been investigated.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

LoadMP4.as
1.0 KB Download

yuv.flv
1.8 MB Download

Comment 1 by cevans@google.com, Jun 17 2015

Labels: Id-3831

PSIRT-3831

Project Member Comment 2 by hawkes@google.com, Aug 21 2015

Owner: hawkes@google.com

Project Member Comment 3 by hawkes@google.com, Sep 21 2015

Cc: scarybea...@gmail.com
Labels: CVE-2015-5575 Deadline-Exceeded Deadline-Grace
Status: Fixed

Fixed in APSB15-23

Project Member Comment 4 by mjurczyk@google.com, Mar 21 2016

Labels: -Restrict-View-Commit

► Sign in to add a comment