The below explanation was written in October 2008, while I was an engineer at Mochi Media.


Adobe Flash Player plug-in browser crash

Summary

If a Flash 9 SWF loads the same URL twice with the first returning a Flash 7 SWF and the second time returning a Flash 8 SWF (or vice-versa), the Adobe Flash Player plug-in will attempt to dereference a null pointer, crashing the browser.

Details

Using the server included with the sample code below, HTTP requests for / returns a Flash 9 SWF that uses flash.display.Loader to load two instances of /b. HTTP requests for /b alternatingly return an empty SWF compiled for Flash 7 or Flash 8.

This example only uses GET requests, but POST requests also work. The URL (including query string arguments) must be the same for both requests to /b, but POST requests may use different request entities.

There's seemingly nothing special about 7 and 8, except that 7 ≠ 8. E.g., compiling for any distinct pair of versions 6, 7, and 8 instead of 7 and 8 also result in crashes. The first request can also instead return an image file supported by Flash such as a PNG or JPEG.

Sample code

Download the sample code here. This zip file includes a simple web server written in Python that has been tested to work correctly on OS X 10.5.4 and 10.5.5 but is expected to work on any system with Python 2.5.

Download, unzip, and start the server by running:

$ curl -O http://flashcrash.dempsky.org/flashcrash-20080919.zip
$ unzip flashcrash-20080919.zip
$ cd flashcrash-20080919
$ python flashcrash.py

The server will listen on port 8080. While the server is running, open http://127.0.0.1:8080/ in a browser using the Adobe Flash Player plug-in. Within a few seconds, the entire browser should crash.

Results

This code has been tested with Safari 3.1.2 and Firefox 3.0.1 with Adobe's Flash Player plug-in 9.0.115.0, 9.0.124.0, and 10.0.12.10 on OS X 10.5.4 and 10.5.5.

This code has also been tested with Internet Explorer 6.0 and 7.0, Firefox 3.0.1, and Chrome 0.2.149.30 with Adobe's Flash Player plug-in 9.0.45.0 and 9.0.124.0 on Windows XP Professional SP2. In Chrome tests, only one tab failed. In one IE7 test, the browser became completely unresponsive and needed a reboot to resolve, but we could not reproduce this.

This code has also been tested with Firefox 3.0.1 with Adobe's Flash Player plug-in 9.0.124.0 on Ubuntu 8.04 on amd64. On this platform, the Flash Player plug-in runs in a separate process (under nspluginwrapper) so only that process crashes instead of the entire browser.

Credits

One of our users, Jared, reported a problem where his Flash game would crash his browser. One of our engineers, Moshen Chan, reproduced the issue Jared reported and found a simple work-around (appending a varying query string to every request). Another of our engineers, Matthew Dempsky, further simplified Moshen's test case into the above description and sample code.