Flash memory corruption when upper casing malformed Unicode

[GoogleCodeExporter]

There is a memory corruption that is triggered when uppercasing malformed 
unicode. Specifically, when the opener of a surrogate pair is followed by the 
"latin small letter sharp S" character, a wild copy occurs leading to memory 
corruption.

A repro SWF is attached, along with source.

This bug might be platform specific. It certainly triggers on Pepper Flash on 
Linux (desktop; Chrome OS assumed faulty too). More testing is required on Mac 
and Windows.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by cev...@google.com on 13 Oct 2014 at 8:36

Attachments:

• UpperCase.swf
• UpperCase.as

[GoogleCodeExporter]

Original comment by cev...@google.com on 13 Oct 2014 at 10:30

• Added labels: Id-3084

[GoogleCodeExporter]

Original comment by cev...@google.com on 6 Dec 2014 at 6:11

• Added labels: CVE-2014-9164

[GoogleCodeExporter]

Ah, this was fixed back in December's patch: 
http://helpx.adobe.com/security/products/flash-player/apsb14-27.html

Original comment by cev...@google.com on 14 Jan 2015 at 12:55

• Changed state: Fixed
• Added labels: Fixed-2014-Dec-9
• Removed labels: Restrict-View-Commit