Flash heap buffer overflow calling Camera.copyToByteArray() with a large ByteArray

[GoogleCodeExporter]

This bug came out of a conversation with Nicolas Joly. I don't feel comfortable 
claiming any credit but I'll happily take on the co-ordination.
i.e. please credit simply "Nicolas Joly"

This is extremely similar to 
https://code.google.com/p/google-security-research/issues/detail?id=46

The main difference is that in order to trigger the bug, it is necessary for 
the user to click through the camera permission dialog, which lowers the 
severity.

Source and compiled SWF attached. Faults my Chrome Linux x64 every time, Flash 
v15.0.0.152.

Note that you'll need to click "ok" on all the permission dialogs before a 
timer fires at the 2 second mark. If you miss, just refresh and try again.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by cev...@google.com on 24 Sep 2014 at 8:49

Attachments:

• CameraCopyToByteArrayBug.as
• CameraCopyToByteArrayBug.swf

[GoogleCodeExporter]

Original comment by cev...@google.com on 24 Sep 2014 at 8:12

• Added labels: Id-3053

[GoogleCodeExporter]

Original comment by ianb...@google.com on 28 Oct 2014 at 10:43

[GoogleCodeExporter]

Original comment by cev...@google.com on 8 Nov 2014 at 2:36

• Added labels: CVE-2014-0582

[GoogleCodeExporter]

http://helpx.adobe.com/security/products/flash-player/apsb14-24.html

Original comment by cev...@google.com on 20 Nov 2014 at 1:25

• Changed state: Fixed
• Added labels: Fixed-2014-Nov-11
• Removed labels: Restrict-View-Commit