[Tracking for: https://code.google.com/p/chromium/issues/detail?id=472201]
Credit is to bilou, working with the Chromium Vulnerability Rewards Program.
Loading a weird MPD file can corrupt flash player's memory.
Chrome version 41.0.2272.101, Flash 184.108.40.206
Operating System: Win 7 x64 SP1
I'm ripping most of this from scarybeasts' sources. I'm sure he's ok with that =D.
"To reproduce, host the attached SWF and other files on a web server (e.g. localhost) and load it like this:"
"To compile the .as file, I had to use special flags to flex:"
"mxmlc -target-player 14.0 -swf-version 25 -static-link-runtime-shared-libraries ./PlayManifest.as"
"(This also requires that you have v14.0 of playerglobals.swc installed. Any newer version should also be fine.)"
On Win7 x64 sp1 with Chrome 32 bit, crash like this:
6AA8B67C | 8B C3 | mov eax,ebx |
6AA8B67E | E8 A1 05 00 00 | call pepflashplayer.6AA8BC24 |
6AA8B683 | EB A8 | jmp pepflashplayer.6AA8B62D |
6AA8B685 | 89 88 D0 00 00 00 | mov dword ptr ds:[eax+D0],ecx | // crash here, eax points somewhere in pepflashplayer.dll
6AA8B68B | 8B 88 88 00 00 00 | mov ecx,dword ptr ds:[eax+88] |
6AA8B691 | 33 D2 | xor edx,edx |
6AA8B693 | 3B CA | cmp ecx,edx |
6AA8B695 | 74 07 | je pepflashplayer.6AA8B69E |
6AA8B697 | 39 11 | cmp dword ptr ds:[ecx],edx |
6AA8B699 | 0F 95 C1 | setne cl |
At first sight this looks to be an uninitialized stack variable but I might be wrong.
Proof of Concept: