Two variant SWFs are attached, along with the source.
These are ActionScript 2 source files / SWFs, so compile accordingly.
The first example creates a string that is >4GB in length and things go wrong (buffer overflow; crash in memcpy) when trying to append this errant string to another string.
The second example creates a string that is 4GB-1 in length and things go wrong similarly but slightly differently.
Some notes on this bug:
- The attack does not require much memory, because very large Flash strings can be built as a series of repeated references to a single smaller string.
- If you build strings of exactly 4GB in length, no crash will be observed because the length will appear to be 0, which will cause different, non-crashing behavior.
- This bug is very similar to a recent Safari bug: http://googleprojectzero.blogspot.com/2014/07/pwn4fun-spring-2014-safari-part-i_24.html
Despite involving a perceived attempt to copy 4GB of data into an undersized buffer, the bug is readily exploitable due to some nice tricks.
Given the similarity to other publicly analyzed exploitable bugs, a 90-day disclosure deadline applies.
