Source file and compiled PoC attached.
Looking at https://github.com/adobe-flash/avmplus/blob/master/core/XMLListObject.cpp:
bool XMLListObject::delUintProperty(uint32_t index)
...
if (index >= _length()) [1]
{
return true;
}
...
px->childChanges(core->knodeRemoved, r->atom()); [2]
...
m_children.removeAt(index); [3]
In [1], the passed in index is validated. In [2], the callback can run actionscript, which might shrink the size of the current XMLList. In [3], the pre-validated index is used but it might now be invalid due to shrinking at [2]. Unfortunately, removeAt() does not behave well in the presence of an out-of-bounds index.
The PoC works by triggering a wild copy in order to demonstrate the crash. But other side-effects are possible such as decrementing the refcount of an out-of-bounds index.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.