Verified on v10.0.22.87
Install Adobe Flash Player (10.0.32.18) / AIR (1.5.2) or later.
An integer overflow exists in the AVM2 abcFile parser code which handles the intrf_count value of the instance_info structure. When intrf_count is larger than 0x10000000, it is nullified due to an integer overflow. This results in an out of bounds pointer dereference. The out of bounds object contains arbitrary values (in the context of the code which handles the interfaces count element) which are manipulated in a way so that an arbitrary memory overwrite with an attacker supplied destination and value is possible.
A Proof-of-Concept exploit is demonstrated: