I spent eight hours looking for the cause of a bug in a GIF generator I ported from javascript and massively modified in AS 3.0. I was using a 4-megabyte ByteArray for color indexing purposes, whose size expanded toward 4 MB on the fly as needed. The problem was that pixels would occasionally randomly turn up the wrong color, even in controlled and identical conditions.
The reason it took me eight hours to find the bug was because it was not my bug. It turns out that ByteArray does not always zero out the new region when its size is expanded…!
Here is a PoC I slapped together: http://70.84.196.162/psilo/bytearray.swf
This is really bad. If I go to youtube, or myspace, etc. with this URL open, I sometimes see pieces of cleartext from other sites’ .swf’s, such as image URLs, and sometimes I see the text I select and type in other sites’ TextFields.
What a rookie mistake!!! This is the first thing you account for when you create a ByteArray type of class in ANY language… let alone something as pervasive as AS 3.0… you have to zero out the memory region… how could they miss this? How can this bug still exist in 9.0r45? Is this reported anywhere yet??? I want my eight hours back
