superuser5 / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Flash: bad / wild write in XML when callback modifies XML tree unexpectedly during property delete #404

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Source file and compiled PoC attached.

Looking at 
https://github.com/adobe-flash/avmplus/blob/master/core/XMLListObject.cpp:

bool XMLListObject::delUintProperty(uint32_t index)
...
if (index >= _length())      [1]
        {
            return true;
        }
...
    px->childChanges(core->knodeRemoved, r->atom());  [2]
...
    m_children.removeAt(index);   [3]

In [1], the passed in index is validated. In [2], the callback can run 
actionscript, which might shrink the size of the current XMLList. In [3], the 
pre-validated index is used but it might now be invalid due to shrinking at 
[2]. Unfortunately, removeAt() does not behave well in the presence of an 
out-of-bounds index.

The PoC works by triggering a wild copy in order to demonstrate the crash. But 
other side-effects are possible such as decrementing the refcount of an 
out-of-bounds index.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by cev...@google.com on 22 May 2015 at 2:22

Attachments:

GoogleCodeExporter commented 9 years ago
PSIRT-3736

Original comment by cev...@google.com on 26 May 2015 at 10:18

GoogleCodeExporter commented 9 years ago

Original comment by natashe...@google.com on 11 Aug 2015 at 3:33

GoogleCodeExporter commented 9 years ago

Original comment by natashe...@google.com on 11 Aug 2015 at 3:35

GoogleCodeExporter commented 9 years ago
Fixed in https://helpx.adobe.com/security/products/flash-player/apsb15-19.html

Original comment by natashe...@google.com on 18 Aug 2015 at 7:35