Re: Adobe Flash Player plug-in null pointer dereference and browser crash



On Wed, Oct 1, 2008 at 5:46 PM, Matthew Dempsky <matthew@xxxxxxxxxxxxxx> wrote:
If a Flash 9 SWF loads two SWF files with different SWF version
numbers from two distinct HTTP requests to the exact same URL
(including query string arguments), then Adobe's Flash Player plug-in
will try to dereference a null pointer.  This issue affects at least
versions 9.0.45.0, 9.0.112.0, 9.0.124.0, and 10.0.12.10 on Windows, OS
X, and Linux.

As an update, this issue also affects 10.0.22.87 at least on Windows
and OS X. I've seen some Linux distributions (e.g., [1]) claim that
10.0.22.87 fixes this bug (aka CVE-2008-4546), but I think this is
mistaken.

You can easily reproduce this bug (i.e., crash your browser) by
visiting http://flashcrash.dempsky.org/. Be sure to tell your
friends: it can be the next Rick Roll.

[1] http://www.gentoo.org/security/en/glsa/glsa-200903-23.xml?style=printable

--
Matthew Dempsky
http://www.mochimedia.com



Relevant Pages

  • Re: Adobe Flash Player plug-in null pointer dereference and browser crash
    ... then Adobe's Flash Player plug-in ... will try to dereference a null pointer. ...
    (Bugtraq)
  • [PATCH 2/7] [GFS2] Fix uninitialised variable
    ... This fixes a bug where, in certain cases an uninitialised variable ... could cause a dereference of a NULL pointer in gfs2_commit_write. ...
    (Linux-Kernel)
  • Re: OT: my new PC rocks!!
    ... Microsoft basically "owns" the ACPM thing and has the hardware ... for practically everything;) doing all the work and the "Windows" bit ... is merely the pretty graphics and mouse pointer routines to stare at ... actually seen it up and running to test if this "bug" is even older ...
    (alt.lang.asm)
  • Re: [Full-disclosure] CVE-2013-4788 - Eglibc PTR MANGLE bug
    ... This bug was discovered in March 2013 while we were developing the RAF SSP ... is always zero) of the "pointer guard" by the glibc only when generating ... compiled executables. ... Compilation for x86_64: ...
    (Full-Disclosure)
  • Re: Unhandled exception on clicking dialog box OK button,Its URGENT
    ... impression that the text is a bstr, and how large are those buffers, and why do you ... pointer; and the second suspicition is that it is a pointer to a buffer that is too small. ... What was the call stack trace, and what were the values of the variables ... You have to do SOMETHING besides say "my program has a bug, ...
    (microsoft.public.vc.mfc)