New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 404
Starred by 2 users
Status: Fixed
Owner:
cevans@google.com
Email to this user bounced
Closed: Aug 2015
Cc:
project-...@google.com



Sign in to add a comment
 Flash: bad / wild write in XML when callback modifies XML tree unexpectedly during property delete
Reported by cevans@google.com, May 22 2015 Back to list 
Source file and compiled PoC attached.

Looking at https://github.com/adobe-flash/avmplus/blob/master/core/XMLListObject.cpp:

bool XMLListObject::delUintProperty(uint32_t index)
...
if (index >= _length())      [1]
        {
            return true;
        }
...
    px->childChanges(core->knodeRemoved, r->atom());  [2]
...
    m_children.removeAt(index);   [3]

In [1], the passed in index is validated. In [2], the callback can run actionscript, which might shrink the size of the current XMLList. In [3], the pre-validated index is used but it might now be invalid due to shrinking at [2]. Unfortunately, removeAt() does not behave well in the presence of an out-of-bounds index.

The PoC works by triggering a wild copy in order to demonstrate the crash. But other side-effects are possible such as decrementing the refcount of an out-of-bounds index.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
XMLListDelEvent.swf
835 bytes Download
XMLListDelEvent.as
688 bytes Download
Comment 1 by cevans@google.com, May 26 2015
Labels: Id-3736
PSIRT-3736
Project Member Comment 2 by natashenka@google.com, Aug 11 2015
Labels: CVE-2015-5549
Project Member Comment 3 by natashenka@google.com, Aug 11 2015
Status: Fixed
Project Member Comment 4 by natashenka@google.com, Aug 18 2015
Labels: -Restrict-View-Commit
Fixed in https://helpx.adobe.com/security/products/flash-player/apsb15-19.html
Sign in to add a comment