Monorail Project: project-zero Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 47
Starred by 5 users
Status: Fixed
Owner:
cevans@google.com
Email to this user bounced
Closed: Aug 2014
Cc:
project-...@google.com



Sign in to add a comment
 Flash leak of uninitialized data when image zlib stream ends prematurely
Reported by cevans@google.com, Jul 14 2014 Back to list 
A SWF to reproduce is attached, along with source. To reproduce, host the additional resource SWF "imglossless8bpp.swf" on the same web server / directory as Lossless8bppLeak.swf

I'm fairly sure this is a very different bug to the "Lossless1bppLeak.swf" bug. To manifest this bug, we pull a fun little trick: we terminate the image data zlib stream early, before emitting any pixel data for the image. This leaves uninitialized data in the canvas which we can read out to script. The demo SWF file grabs a pointer value and displays it (64-bit Linux) to illustrate the point.

A screenshot is attached for convenience.

Since it's very easy to use this vulnerability to read uninitialized memory content, a 90-day disclosure deadline applies.
Lossless8bppLeak.as
1.9 KB Download
8bppleak.png
12.4 KB View Download
Lossless8bppLeak.swf
1.2 KB Download
imglossless8bpp.swf
1.4 KB Download
Comment 1 by cevans@google.com, Jul 15 2014
Labels: Id-2890
Comment 2 by cevans@google.com, Aug 21 2014
Labels: CVE-2014-0544
Comment 3 by cevans@google.com, Aug 21 2014
Labels: Fixed-2014-Aug-12
Bulletin: http://helpx.adobe.com/security/products/flash-player/apsb14-18.html
Comment 4 by cevans@google.com, Aug 21 2014
Labels: -Restrict-View-Commit
Comment 5 by cevans@google.com, Aug 21 2014
Status: Fixed
Blogged about here: http://googleprojectzero.blogspot.com/2014/08/what-does-pointer-look-like-anyway.html

Marking as Fixed since the patch is available since > 1 week.
Sign in to add a comment