790 - Adobe Flash: Heap Corruption in LMZA Property Decoding - project-zero

Starred by 1 user

Status:	Fixed
Owner:	natashenka@google.com
Closed:	Jun 2016
Cc:	project-...@google.com
Finder-natashenka Deadline-90 CCProjectZeroMembers Severity-High Vendor-Adobe Finder-mjurczyk Product-Adobe Reported-2016-Apr-1 Id-5086 Fixed-2016-Jun-16 CVE-2016-4137

Adobe Flash: Heap Corruption in LMZA Property Decoding

Project Member Reported by natashenka@google.com, Apr 1 2016

Back to list

Loading the attached image causes heap corruption due to LMZA property decoding. To reproduce the issue, load the attach file '6' using LoadImage.swf as follows:

LoadImage.swf?img=6

The issue sometimes takes multiple refreshes to crash


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

LoadImage.swf
1.2 KB Download

6
61 bytes View Download

Project Member Comment 1 by natashenka@google.com, Apr 5 2016

Labels: Id-5086

Project Member Comment 2 by mjurczyk@google.com, Jun 17 2016

Labels: Fixed-2016-Jun-16 CVE-2016-4137
Status: Fixed

Fixed in https://helpx.adobe.com/security/products/flash-player/apsb16-18.html.

Project Member Comment 3 by natashenka@google.com, Jul 7 2016

Labels: -Restrict-View-Commit

► Sign in to add a comment