Flash: bad cast(?) in display list handling from KeenTean

[GoogleCodeExporter]

Credit is to "Jihui Lu of KeenTeam (@K33nTeam), working with the Chromium 
vulnerability reward program"

Flash player 15.0.0.239 in Chrome 39 Linux x64.

This bug is hard to categorize; I'm thinking that it might be a bad cast issue 
after a debugging session. The impact seems to differ per-platform but be 
fairly deterministic per-platform. On Linux x64, I commonly see a NULL pointer 
dereference. Other platforms show clearer evidence of corruption; attaching a 
windbg log from the researcher on 32-bit Windows.

I also attach apparent variants.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by cev...@google.com on 3 Dec 2014 at 9:03

Attachments:

• chrome.txt
• display_list_mc1.swf
• display_list_mc6.swf
• display_list_mc8.swf

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Original comment by cev...@google.com on 4 Dec 2014 at 3:42

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Adobe tracking as PSIRT-3168.

Original comment by cev...@google.com on 4 Dec 2014 at 3:45

• Added labels: Id-3168
• Removed labels: ****

[GoogleCodeExporter]

Original comment by cev...@google.com on 4 Feb 2015 at 7:09

• Added labels: CVE-2015-0322
• Removed labels: ****

[GoogleCodeExporter]

https://helpx.adobe.com/security/products/flash-player/apsb15-04.html

Original comment by cev...@google.com on 6 Feb 2015 at 3:14

• Changed state: Fixed
• Added labels: Fixed-2015-Feb-5
• Removed labels: ****

[GoogleCodeExporter]

Original comment by cev...@google.com on 12 Feb 2015 at 8:11

• Added labels: ****
• Removed labels: Restrict-View-Commit