Flash: use-after-free in display list handling from KeenTeam

[GoogleCodeExporter]

Credit is to "Jihui Lu of KeenTeam (@K33nTeam), working with the Chromium 
vulnerability reward program"

Flash player 15.0.0.239 in Chrome 39 Linux x64.

There is a use-after-free in display list handling. I attach a variety of repro 
cases, which I believe are all the same root cause based on crash stack traces.

The file "display_list_uaf6.swf" does seem to manifest differently and not be 
as reliable, so it is worth extra checking that any fix fixes this case.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by cev...@google.com on 3 Dec 2014 at 8:26

Attachments:

• display_list_uaf1.as
• display_list_uaf1.swf
• display_list_uaf2.as
• display_list_uaf2.swf
• display_list_uaf3.as
• display_list_uaf3.swf
• display_list_uaf4.as
• display_list_uaf4.swf
• display_list_uaf5.as
• display_list_uaf5.swf
• display_list_uaf6.as
• display_list_uaf6.swf

[GoogleCodeExporter]

Original comment by cev...@google.com on 4 Dec 2014 at 3:41

[GoogleCodeExporter]

Adobe is tracking as PSIRT-3170.

Original comment by cev...@google.com on 4 Dec 2014 at 3:46

• Changed title: Flash: use-after-free in display list handling from KeenTeam
• Added labels: Id-3170

[GoogleCodeExporter]

On Feb 17, Adobe formally requested to use the grace period for this bug under 
the new policy: 
http://googleprojectzero.blogspot.com/2015/02/feedback-and-data-driven-updates-t
o.html

Adobe stated that a patch will be available on March 10. The deadline expires 
on March 3, so March 10 is 7 days into the grace period, which is within the 14 
day grace period limit.

Original comment by cev...@google.com on 20 Feb 2015 at 7:01

• Added labels: Deadline-Exceeded, Deadline-Grace

[GoogleCodeExporter]

Original comment by cev...@google.com on 6 Mar 2015 at 6:06

• Added labels: CVE-2015-0342

[GoogleCodeExporter]

https://helpx.adobe.com/security/products/flash-player/apsb15-05.html

Original comment by cev...@google.com on 12 Mar 2015 at 7:33

• Changed state: Fixed

[GoogleCodeExporter]

Original comment by cev...@google.com on 19 Mar 2015 at 7:57

• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

Chromium bug for reward tracking is 
https://code.google.com/p/chromium/issues/detail?id=464871

Original comment by cev...@google.com on 26 Mar 2015 at 1:04