jack51706 / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Flash memory corruption in Actionscript 2 Array.join #93

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
There's a signedness issue when calling the join method on an Actionscript 2 
Array containing long strings. The attached PoC crashes the latest Chrome 
Canary on Mac flash ppapi process inside memmove.

build the PoC like this:
mtasc -swf ArrToStr.swf -version 8 -main -header 800:600:25 ArrToStr.as X.as

Original issue reported on code.google.com by ianb...@google.com on 19 Aug 2014 at 6:07

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 19 Aug 2014 at 6:17

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 19 Aug 2014 at 6:52

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 23 Sep 2014 at 7:15

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 10 Oct 2014 at 9:12

GoogleCodeExporter commented 9 years ago
Making report public. This was fixed ages ago in
http://helpx.adobe.com/security/products/flash-player/apsb14-22.html

Original comment by cev...@google.com on 8 Nov 2014 at 1:31

GoogleCodeExporter commented 9 years ago

Original comment by scvi...@google.com on 13 Jan 2015 at 12:17