Adobe Flash Player plug-in browser crash


If a Flash 9 SWF loads the same URL twice with the first returning a Flash 7 SWF and the second time returning a Flash 8 SWF (or vice-versa), the Adobe Flash Player plug-in will attempt to dereference a null pointer, crashing the browser.


Using the server included with the sample code below, HTTP requests for / returns a Flash 9 SWF that uses flash.display.Loader to load two instances of /b. HTTP requests for /b alternatingly return an empty SWF compiled for Flash 7 or Flash 8.

This example only uses GET requests, but POST requests also work. The URL (including query string arguments) must be the same for both requests to /b, but POST requests may use different request entities.

There's seemingly nothing special about 7 and 8, except that 7 ≠ 8. E.g., compiling for any distinct pair of versions 6, 7, and 8 instead of 7 and 8 also result in crashes. The first request can also instead return an image file supported by Flash such as a PNG or JPEG.

Sample code

Download the sample code here. This zip file includes a simple web server written in Python that has been tested to work correctly on OS X 10.5.4 and 10.5.5 but is expected to work on any system with Python 2.5.

Download, unzip, and start the server by running:

$ curl -O
$ unzip
$ cd flashcrash-20080919
$ python

The server will listen on port 8080. While the server is running, open in a browser using the Adobe Flash Player plug-in. Within a few seconds, the entire browser should crash.


This code has been tested with Safari 3.1.2 and Firefox 3.0.1 with Adobe's Flash Player plug-in,, and on OS X 10.5.4 and 10.5.5.

This code has also been tested with Internet Explorer 6.0 and 7.0, Firefox 3.0.1, and Chrome with Adobe's Flash Player plug-in and on Windows XP Professional SP2. In Chrome tests, only one tab failed. In one IE7 test, the browser became completely unresponsive and needed a reboot to resolve, but we could not reproduce this.

This code has also been tested with Firefox 3.0.1 with Adobe's Flash Player plug-in on Ubuntu 8.04 on amd64. On this platform, the Flash Player plug-in runs in a separate process (under nspluginwrapper) so only that process crashes instead of the entire browser.


One of our users, Jared, reported a problem where his Flash game would crash his browser. One of our engineers, Moshen Chan, reproduced the issue Jared reported and found a simple work-around (appending a varying query string to every request). Another of our engineers, Matthew Dempsky, further simplified Moshen's test case into the above description and sample code.