XMLSocket Destructor Does Not Get Cleared Before Setting User Data in connect

[GoogleCodeExporter]

If XMLSocket connect is called on an object that already has a destroy function 
set, such as a BitmapData object, the method will set the user data of that 
object, but not clear the destroy function. This leads to type confusion when 
the user data is freed during garbage collection.

A sample SWF is attached, it only works on Chrome and the standalone flash 
player. Note that the object that connect is called on is only in a bad state 
for a brief window (after the user data is set, but before the connect callback 
is called), and a crash will only occur if GC occurs during this window.

The issue is triggered by the following code:

    var f = new flash.display.BitmapData(1000,1000,true, 1000);                                   

        flash.Lib._root._global.ASnative(400, 0).call(f, "74.125.239.129", 9999); //XMLSocket.connect

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by natashe...@google.com on 21 Nov 2014 at 10:01

Attachments:

• test.swf
• Test.hx

[GoogleCodeExporter]

Confirmed in 64-bit Linux desktop; sent along to Adobe.

Original comment by cev...@google.com on 24 Nov 2014 at 9:57

• Added labels: Id-3158, Reported-2014-Nov-24
• Removed labels: Reported-2014-Nov-21

[GoogleCodeExporter]

Original comment by cev...@google.com on 4 Feb 2015 at 7:05

• Added labels: CVE-2015-0317
• Removed labels: ****

[GoogleCodeExporter]

https://helpx.adobe.com/security/products/flash-player/apsb15-04.html

Original comment by cev...@google.com on 6 Feb 2015 at 3:14

• Changed state: Fixed
• Added labels: Fixed-2015-Feb-5
• Removed labels: ****

[GoogleCodeExporter]

Original comment by cev...@google.com on 12 Feb 2015 at 8:11

• Added labels: ****
• Removed labels: Restrict-View-Commit