Flash: memory corruption with large length in EAC3 packet

[GoogleCodeExporter]

To reproduce, host the attached SWF and other files on a web server (e.g. 
localhost) and load it like this:

http://localhost/PlayManifest.swf?file=eac3.m3u8

On 32-bit Chrome on Windows, v40.0.2214.111, WinDbg sees the crash like this:

6dcca5e7 f3a5    rep movs dword ptr es:[edi],dword ptr [esi]

esi = 0x02c31000
edi = 0x02c2fffc
ecx = 0x3ff3f789

So, a wild memcpy-type fault but I'm in the process of writing up how these are 
exploitable in Flash, and this one looks nearly identical to another bug where 
I've proven exploitability.

For reference, the EAC3 packet data (type = 0x87) is:

0x0B 0x77 0x00 0x01 0x0B 0x77 0xFF 0xFF

Where 0xFF 0xFF is the large length.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by cev...@google.com on 18 Feb 2015 at 10:15

Attachments:

• PlayManifest.as
• PlayManifest.swf
• eac3.ts
• prog_index_eac3.m3u8
• eac3.m3u8

[GoogleCodeExporter]

Original comment by cev...@google.com on 19 Feb 2015 at 8:19

• Added labels: Id-3318

[GoogleCodeExporter]

Original comment by cev...@google.com on 10 Apr 2015 at 9:36

• Added labels: CVE-2015-0353

[GoogleCodeExporter]

Fixed: https://helpx.adobe.com/security/products/flash-player/apsb15-06.html

Original comment by cev...@google.com on 14 Apr 2015 at 6:22

• Changed state: Fixed

[GoogleCodeExporter]

Original comment by cev...@google.com on 30 Apr 2015 at 7:20

• Removed labels: Restrict-View-Commit