23 lines
No EOL
1.1 KiB
Text
23 lines
No EOL
1.1 KiB
Text
Source: https://code.google.com/p/google-security-research/issues/detail?id=404&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
|
|
|
|
Source file and compiled PoC attached.
|
|
|
|
Looking at https://github.com/adobe-flash/avmplus/blob/master/core/XMLListObject.cpp:
|
|
|
|
bool XMLListObject::delUintProperty(uint32_t index)
|
|
...
|
|
if (index >= _length()) [1]
|
|
{
|
|
return true;
|
|
}
|
|
...
|
|
px->childChanges(core->knodeRemoved, r->atom()); [2]
|
|
...
|
|
m_children.removeAt(index); [3]
|
|
|
|
In [1], the passed in index is validated. In [2], the callback can run actionscript, which might shrink the size of the current XMLList. In [3], the pre-validated index is used but it might now be invalid due to shrinking at [2]. Unfortunately, removeAt() does not behave well in the presence of an out-of-bounds index.
|
|
|
|
The PoC works by triggering a wild copy in order to demonstrate the crash. But other side-effects are possible such as decrementing the refcount of an out-of-bounds index.
|
|
|
|
Proof of Concept:
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37872.zip |