Adobe Flash Player ShimContentResolver(resolverType=1) class Memory Corruption Vulnerability

I. Summary Adobe Flash Player is prone to a vulnerability which leads to memory corruption because of improper validation of ShimContentResolver.resolve(). ------------------------------------------------------------------ II. Description Normally, resolve() should validate its parameter with canResolve() and returns error in AS3 level if anything goes wrong. However, if ShimContentResolver is constructed with resolverType=1, then invoking resolve() with invalid Opportunity instance, some inner fields of ShimContentResolver will be absent, which will cause a memory crash. ------------------------------------------------------------------ III. Credit Wen Guanxing from Pangu LAB is credited for this vulnerability. It has been assigned by Adobe as CVE-2016-4155. https://helpx.adobe.com/security/products/flash-player/apsb16-18.html