A SWF to reproduce is attached, along with source. To reproduce, host the additional resource SWF "jpgswfalpha.swf" on the same web server / directory as JPEGLeakAlpha.swf
For JPEG images in Flash, there's an optional zlib-compressed alpha channel component after the JPEG data. If we supply a zlib stream that terminates early, uninitialized alpha channel values are used and these can be leaked to script.
The demo SWF file grabs a pointer value and displays it (64-bit Linux) to illustrate the point.
A screenshot is attached for convenience.
Since it's very easy to use this vulnerability to read uninitialized memory content, a 90-day disclosure deadline applies.
