93 - Flash memory corruption in Actionscript 2 Array.join - project-zero

Starred by 3 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Nov 2014
Cc:	project-...@google.com
Fixed-2014-Oct-14 Reported-2014-Aug-18 Finder-ianbeer Deadline-90 Id-2970 PublicOn-2014-Nov-18 CVE-2014-0558 CCProjectZeroMembers Product-Flash Severity-High Vendor-Adobe

Flash memory corruption in Actionscript 2 Array.join

Project Member Reported by ianbeer@google.com, Aug 19 2014

Back to list

There's a signedness issue when calling the join method on an Actionscript 2 Array containing long strings. The attached PoC crashes the latest Chrome Canary on Mac flash ppapi process inside memmove.

build the PoC like this:
mtasc -swf ArrToStr.swf -version 8 -main -header 800:600:25 ArrToStr.as X.as

ArrToStr.as
286 bytes Download

X.as
582 bytes Download

ArrToStr.swf
594 bytes Download

Project Member Comment 1 by ianbeer@google.com, Aug 19 2014

Labels: -Reporter-2014-August-18 Reported-2014-August-18 PublicOn-2014-November-18

Project Member Comment 2 by ianbeer@google.com, Aug 19 2014

Labels: Id-2970

Project Member Comment 3 by ianbeer@google.com, Sep 23 2014

Labels: -Reported-2014-August-18 -PublicOn-2014-November-18 Reported-2014-Aug18 PublicOn-2014-Nov-18

Comment 4 by cevans@google.com, Oct 10 2014

Labels: CVE-2014-0558

Comment 5 by cevans@google.com, Nov 8 2014

Labels: -Restrict-View-Commit Fixed-2014-Oct-14
Status: Fixed

Making report public. This was fixed ages ago in
http://helpx.adobe.com/security/products/flash-player/apsb14-22.html

Project Member Comment 6 by scvitti@google.com, Jan 13 2015

Labels: -Reported-2014-Aug18 Reported-2014-Aug-18

► Sign in to add a comment