Flash: bad / wild write in XML when callback modifies XML tree unexpectedly during property delete

[GoogleCodeExporter]

Source file and compiled PoC attached.

Looking at 
https://github.com/adobe-flash/avmplus/blob/master/core/XMLListObject.cpp:

bool XMLListObject::delUintProperty(uint32_t index)
...
if (index >= _length())      [1]
        {
            return true;
        }
...
    px->childChanges(core->knodeRemoved, r->atom());  [2]
...
    m_children.removeAt(index);   [3]

In [1], the passed in index is validated. In [2], the callback can run 
actionscript, which might shrink the size of the current XMLList. In [3], the 
pre-validated index is used but it might now be invalid due to shrinking at 
[2]. Unfortunately, removeAt() does not behave well in the presence of an 
out-of-bounds index.

The PoC works by triggering a wild copy in order to demonstrate the crash. But 
other side-effects are possible such as decrementing the refcount of an 
out-of-bounds index.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by cev...@google.com on 22 May 2015 at 2:22

Attachments:

• XMLListDelEvent.as
• XMLListDelEvent.swf

[GoogleCodeExporter]

PSIRT-3736

Original comment by cev...@google.com on 26 May 2015 at 10:18

• Added labels: Id-3736

[GoogleCodeExporter]

Original comment by natashe...@google.com on 11 Aug 2015 at 3:33

• Added labels: CVE-2015-5549

[GoogleCodeExporter]

Original comment by natashe...@google.com on 11 Aug 2015 at 3:35

• Changed state: Fixed

[GoogleCodeExporter]

Fixed in https://helpx.adobe.com/security/products/flash-player/apsb15-19.html

Original comment by natashe...@google.com on 18 Aug 2015 at 7:35

• Removed labels: Restrict-View-Commit