The first five checks performed on the permanent buffer that I wrote about in the previous post. The last check is performed on the match buffer that contains the first
0x570e7 | Checks for PNG signature.
0x57124 | Checks for GIF87a signature.
0x57138 | Checks for GIF89a signature.
0x5717D | Checks for JPEG XR (Windows Media Photo) signature.
0x5719B | Checks for ATF (Adobe Texture Format) signature.
0x4b6fc2 | Checks for JPEG (ff d8) signature.
ImageDatain the permanent buffer. The bytes are copied from the permanent buffer to the match buffer using fast memcpy function
I looked at the specification of
DefineBitsJPEG2tag. It's interesting to see that swf specification version 19 says "Compressed image data is either JPEG, PNG, or GIF89a format". However as seen above there might be other file formats supported. Good to know if you want to fuzz this area.
All offsets in this post are RVAs, that is relative to Flash Player's image base.