Nytro Posted December 1, 2014 Report Posted December 1, 2014 Flash heap buffer overflow calling Camera.copyToByteArray() with a large ByteArrayThis bug came out of a conversation with Nicolas Joly. I don't feel comfortable claiming any credit but I'll happily take on the co-ordination.i.e. please credit simply "Nicolas Joly"This is extremely similar to https://code.google.com/p/google-security-research/issues/detail?id=46The main difference is that in order to trigger the bug, it is necessary for the user to click through the camera permission dialog, which lowers the severity.Source and compiled SWF attached. Faults my Chrome Linux x64 every time, Flash v15.0.0.152.Note that you'll need to click "ok" on all the permission dialogs before a timer fires at the 2 second mark. If you miss, just refresh and try again.This bug is subject to a 90 day disclosure deadline. If 90 days elapsewithout a broadly available patch, then the bug report will automaticallybecome visible to the public. [TABLE] [TR][TD=width: 20] [/TD] [TD] CameraCopyToByteArrayBug.as 942 bytes Download [/TD] [/TR] [/TABLE] [TABLE][TR][TD] [/TD] [TD] CameraCopyToByteArrayBug.swf 898 bytes Download[/TD][/TR][/TABLE]Sursa: https://code.google.com/p/google-security-research/issues/detail?id=116&can=1 Quote
