Flash leak of uninitialized data when JPEG image alpha channel zlib stream ends prematurely

[GoogleCodeExporter]

A SWF to reproduce is attached, along with source. To reproduce, host the 
additional resource SWF "jpgswfalpha.swf" on the same web server / directory as 
JPEGLeakAlpha.swf

For JPEG images in Flash, there's an optional zlib-compressed alpha channel 
component after the JPEG data. If we supply a zlib stream that terminates 
early, uninitialized alpha channel values are used and these can be leaked to 
script.

The demo SWF file grabs a pointer value and displays it (64-bit Linux) to 
illustrate the point.

A screenshot is attached for convenience.

Since it's very easy to use this vulnerability to read uninitialized memory 
content, a 90-day disclosure deadline applies.

Original issue reported on code.google.com by cev...@google.com on 14 Jul 2014 at 9:22

Attachments:

• jpgalpha.png
• jpgswfalpha.swf
• JPEGLeakAlpha.as
• JPEGLeakAlpha.swf

[GoogleCodeExporter]

Original comment by cev...@google.com on 14 Jul 2014 at 10:16

• Changed title: Flash leak of uninitialized data when JPEG image alpha channel zlib stream ends prematurely

[GoogleCodeExporter]

Original comment by cev...@google.com on 15 Jul 2014 at 5:21

• Added labels: Id-2892

[GoogleCodeExporter]

Original comment by cev...@google.com on 21 Aug 2014 at 3:31

• Added labels: CVE-2014-0545

[GoogleCodeExporter]

Bulletin: http://helpx.adobe.com/security/products/flash-player/apsb14-18.html

Original comment by cev...@google.com on 21 Aug 2014 at 3:36

• Added labels: Fixed-2014-Aug-12

[GoogleCodeExporter]

Original comment by cev...@google.com on 21 Aug 2014 at 10:01

• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

Blogged about here: 
http://googleprojectzero.blogspot.com/2014/08/what-does-pointer-look-like-anyway
.html

Marking as Fixed since the patch is available since > 1 week.

Original comment by cev...@google.com on 21 Aug 2014 at 10:09

• Changed state: Fixed