786 - Adobe Flash: Overflow in ATF Processing - project-zero

Starred by 1 user

Status:	Fixed
Owner:	natashenka@google.com
Closed:	Jun 2016
Cc:	project-...@google.com
Finder-natashenka Deadline-90 CCProjectZeroMembers Product-Flash Severity-High Vendor-Adobe Finder-mjurczyk Reported-2016-Mar-28 PSIRT-5026 Fixed-2016-Jun-16 CVE-2016-4135

Adobe Flash: Overflow in ATF Processing

Project Member Reported by natashenka@google.com, Mar 28 2016

Back to list

The attached ATF file causes a heap overflow in ATF processing. To reproduce this issue, put LoadImage.swf and test.png on a remote server, and visit http://127.0.0.1/LoadImage.swf?img=test.png.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

LoadImage.swf
1.2 KB Download

	test.png 95 bytes View Download

Project Member Comment 1 by natashenka@google.com, Mar 30 2016

To differentiate this from other ATF issues, this is an overflow in decompressing alphas when an image has a height of 1 pixel.

Project Member Comment 2 by scvitti@google.com, Mar 31 2016

Labels: -Reported-2016-03-28 Reported-2016-Mar-28

Project Member Comment 3 by natashenka@google.com, May 16 2016

Labels: PSIRT-5026

Project Member Comment 4 by hawkes@google.com, Jun 16 2016

Labels: -Vendor-Flash Vendor-Adobe

Project Member Comment 5 by mjurczyk@google.com, Jun 17 2016

Labels: Fixed-2016-Jun-16 CVE-2016-4135
Status: Fixed

Fixed in https://helpx.adobe.com/security/products/flash-player/apsb16-18.html.

Project Member Comment 6 by natashenka@google.com, Jul 7 2016

Labels: -Restrict-View-Commit

► Sign in to add a comment