search

ganado / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Flash out-of-bounds read in uploadCompressedTextureFromByteArray() #71

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
A SWF to reproduce is attached, along with source. Note that the SWF must be 
loaded by an HTML embed (file also attached) so that wmode="direct" can be set 
in order to get the 3D APIs to work.

This is probably due to an integer overflow.

Note that this bug is almost certainly 64-bit only. The PoC relies on an 
allocation that is almost 4GB in size, and obviously such an allocation is 
never going to succeed in a 32-bit address space.

Also, the bug does not work in Chrome 64-bit Linux, because Chrome 64-bit Linux 
has a defense that limits total allocations to 4GB. The PoC still crashes the 
Flash process in Chrome, presumably due to a NULL pointer.

In order to repro fully, try 64-bit Flash in 64-bit IE, or run Chrome 64-bit 
Linux with the --no-sandbox flag (which disables the 4GB limit).

Original issue reported on code.google.com by cev...@google.com on 17 Jul 2014 at 1:31

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 17 Jul 2014 at 4:45

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 17 Jul 2014 at 4:45

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 5 Sep 2014 at 11:00

GoogleCodeExporter commented 9 years ago 
http://helpx.adobe.com/security/products/flash-player/apsb14-21.html

Will derestrict in a week or so, etc.

Original comment by cev...@google.com on 9 Sep 2014 at 8:15

GoogleCodeExporter commented 9 years ago 
Making public.

Original comment by cev...@google.com on 23 Sep 2014 at 7:29