search

lovekurdt / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Adobe Flash URL Resource Use-after-free #410

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
The following crash was observed in Flash Player 17.0.0.188 on Windows:

(81c.854): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=37397006 ebx=00000000 ecx=008c0493 edx=09f390d0 esi=08c24d98 edi=09dc2000
eip=07a218cb esp=015eda80 ebp=015edb24 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00050216
Flash32_17_0_0_188+0x18cb:
07a218cb ff6004           jmp   dword ptr [eax+0x4] ds:0023:3739700a=????????

- The test case reproduces on Windows 7 using IE11. It does not appear to 
immediately reproduce on Windows+Chrome or Linux+Chrome.

- The crash can also reproduce on one of the two mov instructions prior to the 
jmp shown here.

- The crash appears to occur due to a use-after-free related to loading a 
sub-resource from a URL.

- The test case minimizes to an 11-bit difference from the original sample file.

- The following test cases are attached: 2038518113_crash.swf (crashing file), 
2038518113_min.swf (minimized file), 2038518113_orig.swf (original non-crashing 
file).

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by haw...@google.com on 28 May 2015 at 7:24

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by haw...@google.com on 24 Jun 2015 at 9:27

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 5 Jul 2015 at 6:34

GoogleCodeExporter commented 9 years ago 
Fixed: https://helpx.adobe.com/security/products/flash-player/apsb15-16.html

Original comment by cev...@google.com on 9 Jul 2015 at 12:28

GoogleCodeExporter commented 9 years ago

Original comment by natashe...@google.com on 18 Aug 2015 at 7:40