Integer overflow in Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11.2.202.508 on Linux, Adobe AIR before 18.0.0.199, Adobe AIR SDK before 18.0.0.199, and Adobe AIR SDK & Compiler before 18.0.0.199 allows attackers to execute arbitrary code via unspecified vectors. If an mp3 file contains compressed ID3 data that is larger than 0x2aaaaaaa bytes, an integer overflow will occur in allocating the buffer to contain its converted string data, leading to a large copy into a small buffer. A sample fla, swf and mp3 are attached. Put id34.swf and tag.mp3 in the same folder to reproduce the issue. This issue only works on 64 bit platforms.
Recent assessments:
wchen-r7 at September 12, 2019 6:07pm UTC reported:
The decode_buffer_size is calculated this way in Flash:
decode_buffer_size = (encode_data_size – 1) * 6 + 2
In asm:
.text:10024F13 loc_10024F13: ; CODE XREF: sub_10024C79+278j
.text:10024F13 mov eax, ebx
.text:10024F15 imul eax, 6
.text:10024F18 add eax, 2
.text:10024F1B cmp [esi+28h], eax
.text:10024F1E mov [ebp+var_20], eax
.text:10024F21 jge short loc_10024F4D
During decoding, the buffer can be reallocated:
int current_buffer_size
int decoded_buffer_size
if (current_buffer_size < decoded_buffer_size) {
// reallocate the decode buffer
}
If the encode_data_size is larger than 0x2aaaaaab, it will cause an integer overflow in the
calculation of (encode_data_size –1) * 6 + 2
Version 18.0.0.232:
.text:10024E3E mov eax, [ebp+var_14]
.text:10024E41 imul eax, 6
.text:10024E44 inc eax
.text:10024E45 inc eax
.text:10024E46 cmp eax, [ebp+var_14]
.text:10024E49 jbe loc_10024FB8
(encode_data_size * 6 + 2) > encode_data_size
Note that it seems this patch can be bypassed, see CVE-2015-8446
Assessed Attacker Value: 0
Assessed Attacker Value: 0Assessed Attacker Value: 0