secretsquirrel / google-security-research

Automatically exported from code.google.com/p/google-security-research
3 stars 0 forks source link

Flash heap buffer overflow calling Camera.copyToByteArray() with a large ByteArray #116

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
This bug came out of a conversation with Nicolas Joly. I don't feel comfortable 
claiming any credit but I'll happily take on the co-ordination.
i.e. please credit simply "Nicolas Joly"

This is extremely similar to 
https://code.google.com/p/google-security-research/issues/detail?id=46

The main difference is that in order to trigger the bug, it is necessary for 
the user to click through the camera permission dialog, which lowers the 
severity.

Source and compiled SWF attached. Faults my Chrome Linux x64 every time, Flash 
v15.0.0.152.

Note that you'll need to click "ok" on all the permission dialogs before a 
timer fires at the 2 second mark. If you miss, just refresh and try again.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by cev...@google.com on 24 Sep 2014 at 8:49

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 24 Sep 2014 at 8:12

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 28 Oct 2014 at 10:43

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 8 Nov 2014 at 2:36

GoogleCodeExporter commented 9 years ago
http://helpx.adobe.com/security/products/flash-player/apsb14-24.html

Original comment by cev...@google.com on 20 Nov 2014 at 1:25