Flash: use-after-free(?) in bitmap decoding(?) from KeenTeam

[GoogleCodeExporter]

Credit is to "Jihui Lu of KeenTeam (@K33nTeam), working with the Chromium 
vulnerability reward program"

Flash Player 16.0.0.296 in Chrome 40 Linux x64

I believe this is a use-after-free, due to quite varying crash stack trace 
depending on platform, etc. One example crash in the release build of Pepper 
Flash Player is:

=> 0x00007f471374f965:  movl   $0x1,0x60(%rdi)

rdi            0x7f471348bc10   139943242939408

7f4713206000-7f47141a0000 r-xp 00000000 fd:01 674828                     
/opt/google/chrome/PepperFlash/libpepflashplayer.so

TL;DR: this is an attempt to write to the executable text of the Flash library.

PoC.swf is attached. I expect it's a fuzz case; source not available.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by cev...@google.com on 27 Jan 2015 at 11:50

Attachments:

• PoC.swf

[GoogleCodeExporter]

Original comment by cev...@google.com on 28 Jan 2015 at 7:54

• Added labels: Id-3260

[GoogleCodeExporter]

Original comment by cev...@google.com on 4 Feb 2015 at 7:02

• Added labels: CVE-2015-0322

[GoogleCodeExporter]

https://helpx.adobe.com/security/products/flash-player/apsb15-04.html

Original comment by cev...@google.com on 6 Feb 2015 at 3:14

• Changed state: Fixed
• Added labels: Fixed-2015-Feb-5

[GoogleCodeExporter]

Original comment by cev...@google.com on 12 Feb 2015 at 8:13

• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

Original comment by cev...@google.com on 26 Mar 2015 at 1:22