75 - Flash out-of-bounds read with empty ID3 tag - project-zero

Starred by 4 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Sep 2014
Cc:	project-...@google.com
Reported-2014-Jul-21 Severity-Medium Id-2910 CCProjectZeroMembers Finder-cevans Product-Flash Vendor-Adobe Fixed-2014-Sep-9 CVE-2014-0552

Flash out-of-bounds read with empty ID3 tag

Reported by cevans@google.com, Jul 22 2014

Back to list

A SWF to reproduce is attached, along with source. There's a dependent data file, an mp3, which you should place in the same web server directory as the SWF.
A screenshot of the fault in action is also attached for convenience. Refresh the repro to see different values leak.

NOTE! This is an ActionScript 2 source file, so you'll need to compile accordingly.

The code simply reads the "track" property of the ID3 data in an mp3 file. The property seems to be an ActionScript string based on uninitialized memory.

I'm not 100% sure what's going on; I found this by accident. As far as I know, the mp3 and the ID3 data within it are valid. The only interesting thing is that the "track" string inside the ID3 data is a zero-length string.

	id3.png 7.6 KB View Download

ID3.swf
524 bytes Download

ID3.as
650 bytes Download

aSound.mp3
1.1 MB Download

Comment 1 by cevans@google.com, Jul 23 2014

Labels: Id-2910

Comment 2 by cevans@google.com, Sep 5 2014

Labels: CVE-2014-0552

Comment 3 by cevans@google.com, Sep 9 2014

Labels: Fixed-2014-Sep-9
Status: Fixed

http://helpx.adobe.com/security/products/flash-player/apsb14-21.html

Will derestrict in a week or so, etc.

Comment 4 by cevans@google.com, Sep 23 2014

Labels: -Restrict-View-Commit

Making public.

► Sign in to add a comment