Quick summary - it's a bug in the PCRE regex engine as used in Flash. Spoiler: it's exploitable. [...]
Below is what happens when we compile a regex that combines the \c escape sequence (which is intended to match a single ASCII character) with a multibyte UTF-8 character. A simple trigger for the bug is '\\c\xd0\x80+', below. [...]
So clearly something has gone wrong... The question is now how to leverage this invalid bytecode to get code execution.
Project Zero: (^Exploiting)\s(CVE-2015-0318)\s(in)\s*(Flash$)
Current Music: Heartsrevolution -- Digital Suicide ♬