jack51706 / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Flash out-of-bounds read with empty ID3 tag #75

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
A SWF to reproduce is attached, along with source. There's a dependent data 
file, an mp3, which you should place in the same web server directory as the 
SWF.
A screenshot of the fault in action is also attached for convenience. Refresh 
the repro to see different values leak.

NOTE! This is an ActionScript 2 source file, so you'll need to compile 
accordingly.

The code simply reads the "track" property of the ID3 data in an mp3 file. The 
property seems to be an ActionScript string based on uninitialized memory.

I'm not 100% sure what's going on; I found this by accident. As far as I know, 
the mp3 and the ID3 data within it are valid. The only interesting thing is 
that the "track" string inside the ID3 data is a zero-length string.

Original issue reported on code.google.com by cev...@google.com on 22 Jul 2014 at 2:29

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 23 Jul 2014 at 5:01

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 5 Sep 2014 at 10:58

GoogleCodeExporter commented 9 years ago
http://helpx.adobe.com/security/products/flash-player/apsb14-21.html

Will derestrict in a week or so, etc.

Original comment by cev...@google.com on 9 Sep 2014 at 8:15

GoogleCodeExporter commented 9 years ago
Making public.

Original comment by cev...@google.com on 23 Sep 2014 at 7:29