Source: https://code.google.com/p/google-security-research/issues/detail?id=400&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
The attached sample file, signal_sigsegv_7ffff637297a_8900_e3f87b25c25db8f9ec3c975f8c1211cc.swf, crashes, perhaps relating to XML handling.
The crash looks like this on Linux x64:
=> 0x00007f6931226f22: mov 0x8(%rcx),%eax
rcx 0x303030303030300 217020518514230016
The wider context shows that the wild pointer target can be incremented with this vulnerability, which is typically enough for an exploit:
=> 0x00007f6931226f22: mov 0x8(%rcx),%eax <--- read
0x00007f6931226f25: test %eax,%eax
0x00007f6931226f27: je 0x7f6931226f80
0x00007f6931226f29: test $0x40000000,%eax
0x00007f6931226f2e: jne 0x7f6931226f80
0x00007f6931226f30: add $0x1,%eax <--- increment
0x00007f6931226f33: cmp $0xff,%al
0x00007f6931226f35: mov %eax,0x8(%rcx) <--- write back
The base sample from which this fuzz case was generated is also attached, e3f87b25c25db8f9ec3c975f8c1211cc.swf
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/37870.zipData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation