Flash out-of-bounds read with empty ID3 tag

[GoogleCodeExporter]

A SWF to reproduce is attached, along with source. There's a dependent data 
file, an mp3, which you should place in the same web server directory as the 
SWF.
A screenshot of the fault in action is also attached for convenience. Refresh 
the repro to see different values leak.

NOTE! This is an ActionScript 2 source file, so you'll need to compile 
accordingly.

The code simply reads the "track" property of the ID3 data in an mp3 file. The 
property seems to be an ActionScript string based on uninitialized memory.

I'm not 100% sure what's going on; I found this by accident. As far as I know, 
the mp3 and the ID3 data within it are valid. The only interesting thing is 
that the "track" string inside the ID3 data is a zero-length string.

Original issue reported on code.google.com by cev...@google.com on 22 Jul 2014 at 2:29

Attachments:

• ID3.as
• ID3.swf
• aSound.mp3
• id3.png

[GoogleCodeExporter]

Original comment by cev...@google.com on 23 Jul 2014 at 5:01

• Added labels: Id-2910

[GoogleCodeExporter]

Original comment by cev...@google.com on 5 Sep 2014 at 10:58

• Added labels: CVE-2014-0552

[GoogleCodeExporter]

http://helpx.adobe.com/security/products/flash-player/apsb14-21.html

Will derestrict in a week or so, etc.

Original comment by cev...@google.com on 9 Sep 2014 at 8:15

• Changed state: Fixed
• Added labels: Fixed-2014-Sep-9

[GoogleCodeExporter]

Making public.

Original comment by cev...@google.com on 23 Sep 2014 at 7:29

• Removed labels: Restrict-View-Commit