71 - Flash out-of-bounds read in uploadCompressedTextureFromByteArray() - project-zero

Starred by 4 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Sep 2014
Cc:	project-...@google.com
Severity-Medium CVE-2014-0555 Reported-2014-Jul-16 Id-2900 CCProjectZeroMembers Finder-cevans Product-Flash Vendor-Adobe Fixed-2014-Sep-9

Flash out-of-bounds read in uploadCompressedTextureFromByteArray()

Reported by cevans@google.com, Jul 17 2014

Back to list

A SWF to reproduce is attached, along with source. Note that the SWF must be loaded by an HTML embed (file also attached) so that wmode="direct" can be set in order to get the 3D APIs to work.

This is probably due to an integer overflow.

Note that this bug is almost certainly 64-bit only. The PoC relies on an allocation that is almost 4GB in size, and obviously such an allocation is never going to succeed in a 32-bit address space.

Also, the bug does not work in Chrome 64-bit Linux, because Chrome 64-bit Linux has a defense that limits total allocations to 4GB. The PoC still crashes the Flash process in Chrome, presumably due to a NULL pointer.

In order to repro fully, try 64-bit Flash in 64-bit IE, or run Chrome 64-bit Linux with the --no-sandbox flag (which disables the 4GB limit).

CompressedTextureUploadBug.as
2.3 KB Download

CompressedTextureUploadBugEmbed.html
126 bytes View Download

CompressedTextureUploadBug.swf
1.1 KB Download

Comment 1 by cevans@google.com, Jul 17 2014

Labels: Id-2700

Comment 2 by cevans@google.com, Jul 17 2014

Labels: -Id-2700 Id-2900

Comment 3 by cevans@google.com, Sep 5 2014

Labels: CVE-2014-0555

Comment 4 by cevans@google.com, Sep 9 2014

Labels: Fixed-2014-Sep-9
Status: Fixed

http://helpx.adobe.com/security/products/flash-player/apsb14-21.html

Will derestrict in a week or so, etc.

Comment 5 by cevans@google.com, Sep 23 2014

Labels: -Restrict-View-Commit

Making public.

► Sign in to add a comment