New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 3 users
Status: Fixed
Owner:
Email to this user bounced
Closed: Feb 2015
Cc:



Sign in to add a comment
Adobe Flash Calling Superconstructor More Than Once Can Lead to Inconsistent User Data and Destroy Func
Project Member Reported by natashenka@google.com, Dec 1 2014 Back to list
The user data and destroy func of an object can be made inconsistent by calling the superconstructor (method super) more than once. For example if a class extends BitmapData and its constructor contains the following code:

    super();
    this.__proto__= {};
    this.__proto__.__constructor__ = String;
    super("test");

The object's user data and destroy function will be set for type BitmapData when super is first called, and then its user data will be set for type String when the superconstructor is called the second time. This will leave the object with String user data, but the BitmapData destroy func, which will lead to type confusion when the object is freed. 

A sample swf and code is attached. To reproduce, click the purple button (this is for ease of analysis, the bug does not require user interaction). POC was tested on Chrome and Firefox.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
 
super.fla
6.2 KB Download
super.swf
1.0 KB Download
mysubclass.as
390 bytes Download
myclass.as
251 bytes Download
Project Member Comment 1 by natashenka@google.com, Dec 1 2014
Summary: Adobe Flash Calling Superconstructor More Than Once Can Lead to Inconsistent User Data and Destroy Func (was: Calling Superconstructor More Than Once Can Lead to Inconsistent User Data and Destroy Func )
Comment 2 by cevans@google.com, Dec 1 2014
Labels: -2014-Dec-01 Reported-2014-Dec-01
I ran the PoC on my Linux x64 and it crashed immediately, very nice.
Comment 3 by cevans@google.com, Dec 2 2014
Labels: Id-3163
Comment 4 by cevans@google.com, Feb 4 2015
Labels: CVE-2015-0319
Comment 5 by cevans@google.com, Feb 6 2015
Labels: Fixed-2015-Feb-5
Status: Fixed
https://helpx.adobe.com/security/products/flash-player/apsb15-04.html
Comment 6 by cevans@google.com, Feb 12 2015
Labels: -Restrict-View-Commit
Sign in to add a comment