Source: https://code.google.com/p/google-security-research/issues/detail?id=396&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
A nasty looking crash is manifesting in various different ways under fuzzing, apparently related to drawing and bitmap handling.
A trigger is attached, signal_sigsegv_7ffff5b5aee2_252_0688bbd450e7c095265d00be2fca50ab.swf
The base file from which this fuzz case was generated is attached, 0688bbd450e7c095265d00be2fca50ab.swf
The crash on 64-bit Linux looks like this:
=> 0x00007f69314b8f7d: cmpl $0xc,0x174(%rax)
rax 0x83071500ff0300 36881008741516032
If we trace through the usages of %rax, we can get to some bad writes pretty easily:
=> 0x00007f69314b8f7d: cmpl $0xc,0x174(%rax)
0x00007f69314b8f84: je 0x7f69314b8fa0
...
0x00007f69314b8fa0: mov (%rax),%rdi <-- rdi compromised
0x00007f69314b8fa3: callq 0x7f69314b8810
...
0x00007f69314b8810: mov (%rsi),%edx
0x00007f69314b8812: cmp $0x7ffffff,%edx
0x00007f69314b8818: je 0x7f69314b8862
0x00007f69314b881a: mov 0x10(%rdi),%eax
0x00007f69314b881d: cmp $0x7ffffff,%eax
0x00007f69314b8822: je 0x7f69314b8868
0x00007f69314b8824: sub $0x1,%edx
0x00007f69314b8827: cmp %eax,%edx
0x00007f69314b8829: cmovg %eax,%edx
0x00007f69314b882c: mov 0x14(%rdi),%eax
0x00007f69314b882f: mov %edx,0x10(%rdi) <---- rdi written to
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37866.zip