260 - Adobe Flash: XML and XMLNode classes missing constructor type check - project-zero

Starred by 2 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Mar 2015
Cc:	project-...@google.com
Finder-natashenka Id-3289 Deadline-90 Reported-2015-Feb-6 CVE-2015-0334 CCProjectZeroMembers Product-Flash Severity-High Vendor-Adobe

Adobe Flash: XML and XMLNode classes missing constructor type check

Project Member Reported by natashenka@google.com, Feb 7 2015

Back to list

The XML and XMLNode classes are missing type checks in their constructors. If a class extends a class that sets the object user data, and its constructor contains the following code, type confusion can occur on garbage collection.

		super();
		this.__proto__={};
		this.__proto__.__constructor__ = XML; //Or XMLNode
		super("test");


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

super1.swf
1.4 KB Download

myclass.as
392 bytes Download

mysubclass.as
502 bytes Download

super.fla
6.8 KB Download

super.swf
1.2 KB Download

Comment 1 by cevans@google.com, Feb 7 2015

Labels: -Reported-2015-Feb-16 Reported-2015-Feb-6 Id-3289

Comment 2 by cevans@google.com, Mar 6 2015

Labels: CVE-2015-0334

Comment 3 by cevans@google.com, Mar 12 2015

Status: Fixed

https://helpx.adobe.com/security/products/flash-player/apsb15-05.html

Comment 4 by cevans@google.com, Mar 19 2015

Labels: -Restrict-View-Commit

► Sign in to add a comment