superuser5 / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Flash: bad dereference at 0x23c on Linux x64 #398

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
The attached sample, 
signal_sigsegv_7ffff603deef_1525_268381c02bc3b05c84578ebaeafc02f0.swf, 
typically crashes in this way on my Linux x64 build (Flash v17.0.0.188):

=> 0x00007f693155bf58:  mov    (%rdi),%rbx
rdi            0x23c    572

At first glance this might appear to be a NULL dereference but sometimes it 
crashes trying to access 0xc8 and different builds have shown crashes at much 
wilder addresses, so there is probably a use-after-free or other 
non-deterministic condition going on. For example, our fuzzing cluster saw a 
crash at 0x400000001.

The base sample from which the fuzz case is derived is also attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by cev...@google.com on 20 May 2015 at 11:09

Attachments:

GoogleCodeExporter commented 9 years ago
PSIRT-3732

Original comment by cev...@google.com on 26 May 2015 at 10:17

GoogleCodeExporter commented 9 years ago

Original comment by natashe...@google.com on 11 Aug 2015 at 3:36

GoogleCodeExporter commented 9 years ago
Fixed in https://helpx.adobe.com/security/products/flash-player/apsb15-19.html

Original comment by natashe...@google.com on 18 Aug 2015 at 7:34

GoogleCodeExporter commented 9 years ago

Original comment by natashe...@google.com on 18 Aug 2015 at 7:34