788 - Adobe Flash: Double Free in JXR Processing - project-zero

Starred by 1 user

Status:	Fixed
Owner:	natashenka@google.com
Closed:	Jun 2016
Cc:	project-...@google.com
Finder-natashenka Deadline-90 CCProjectZeroMembers Severity-High Vendor-Adobe Finder-mjurczyk Product-Adobe Reported-2016-Apr-1 Id-5084 Fixed-2016-Jun-16 CVE-2016-4136

Adobe Flash: Double Free in JXR Processing

Project Member Reported by natashenka@google.com, Mar 31 2016

Back to list

There is a heap overflow when loading the attacked JXR file in Adobe Flash. To reproduce, load the attached file using LoadImage.swf?img=12.atf.

This issue can be a bit difficult to reproduce, as the crash occurs when the player is destroyed, so the crash screen doesn't always show up on the Player. The easiest way to detect the issue is to attach a debugger to the Player and refresh a few times.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

12.atf
542 bytes Download

LoadImage.swf
1.2 KB Download

Project Member Comment 1 by natashenka@google.com, Apr 1 2016

Took a closer look at this, it is a UaF of plane->model_hp_buffer in the open-source JXR component.

Project Member Comment 2 by natashenka@google.com, Apr 1 2016

Labels: -Reported-2016-Mar-31 Reported-2016-Apr-1
Summary: Adobe Flash: Double Free in JXR Processing (was: Adobe Flash: Heap Overflow in JXR Processing)

Project Member Comment 3 by natashenka@google.com, Apr 5 2016

Labels: Id-5084

Project Member Comment 4 by mjurczyk@google.com, Jun 17 2016

Labels: CVE-2016-4136 Fixed-2016-Jun-16
Status: Fixed

Fixed in https://helpx.adobe.com/security/products/flash-player/apsb16-18.html.

Project Member Comment 5 by natashenka@google.com, Jul 7 2016

Labels: -Restrict-View-Commit

► Sign in to add a comment