Flash version 18.0.0.209 contains new mitigations to defend against corruptions of Vector. (and other) lengths. One of these mitigations, at Vector access time, compares the Vector's in-memory length with a representation of the same length XOR'ed with a secret cookie. The bypass comes about because the secret cookie value is stored inside a structure, and a pointer to that structure is stored alongside the Vector length. Continue reading...
