Flash: bad dereference at 0x23c on Linux x64

[GoogleCodeExporter]

The attached sample, 
signal_sigsegv_7ffff603deef_1525_268381c02bc3b05c84578ebaeafc02f0.swf, 
typically crashes in this way on my Linux x64 build (Flash v17.0.0.188):

=> 0x00007f693155bf58:  mov    (%rdi),%rbx
rdi            0x23c    572

At first glance this might appear to be a NULL dereference but sometimes it 
crashes trying to access 0xc8 and different builds have shown crashes at much 
wilder addresses, so there is probably a use-after-free or other 
non-deterministic condition going on. For example, our fuzzing cluster saw a 
crash at 0x400000001.

The base sample from which the fuzz case is derived is also attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by cev...@google.com on 20 May 2015 at 11:09

Attachments:

• signal_sigsegv_7ffff603deef_1525_268381c02bc3b05c84578ebaeafc02f0.swf
• 268381c02bc3b05c84578ebaeafc02f0.swf

[GoogleCodeExporter]

PSIRT-3732

Original comment by cev...@google.com on 26 May 2015 at 10:17

• Added labels: Id-3732

[GoogleCodeExporter]

Original comment by natashe...@google.com on 11 Aug 2015 at 3:36

• Changed state: Fixed
• Added labels: CVE-2015-5546

[GoogleCodeExporter]

Fixed in https://helpx.adobe.com/security/products/flash-player/apsb15-19.html

Original comment by natashe...@google.com on 18 Aug 2015 at 7:34

[GoogleCodeExporter]

Original comment by natashe...@google.com on 18 Aug 2015 at 7:34

• Removed labels: Restrict-View-Commit