Flash: memory corruption with excessive CEA-708 data block length

[GoogleCodeExporter]

To reproduce, host the attached SWF and other files on a web server (e.g. 
localhost) and load it like this:

http://localhost/PlayManifest.swf?file=caption.m3u8

On 32-bit Chrome on Windows, v40.0.2214.111, WinDbg sees the crash like this:

6deb64eb 8b01     mov    eax,dword ptr [ecx]  ds:002b:41414141=????????
                  call   dword ptr [eax+3Ch]

Looks like vtable dispatch to me, with an attacker controlled "this" pointer.

This is the protocol in question: http://en.wikipedia.org/wiki/CEA-708

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by cev...@google.com on 16 Feb 2015 at 8:59

Attachments:

• caption.m3u8
• prog_index_caption.m3u8
• caption.ts
• PlayManifest.swf
• PlayManifest.as

[GoogleCodeExporter]

Original comment by cev...@google.com on 17 Feb 2015 at 4:58

• Added labels: Id-3313

[GoogleCodeExporter]

Original comment by cev...@google.com on 10 Apr 2015 at 9:36

• Added labels: CVE-2015-0355

[GoogleCodeExporter]

Fixed: https://helpx.adobe.com/security/products/flash-player/apsb15-06.html

Original comment by cev...@google.com on 14 Apr 2015 at 6:22

• Changed state: Fixed

[GoogleCodeExporter]

Original comment by cev...@google.com on 30 Apr 2015 at 7:20

• Removed labels: Restrict-View-Commit