UaF on Adobe's Flash

[GoogleCodeExporter]

The attached SWF file generates a NULL deref on IE, Chrome, standalone 
projector, etc.

The interesting part is behind this NULL deref hides a use after free that gets 
exposed on debug builds. 
Chris did some research and here are his comments:

"I should add a note why I think it's a use-after-free: I have access to a 
debug build and in the debug build, there's a fault at 0xcdcdcdcdcdcdcdcd which 
I believe is a debugging aid designed to illustrate use-after-free more 
clearly. It looks like a display object has a stale reference for its parent."

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by fjse...@google.com on 12 Nov 2014 at 5:41

Attachments:

• fuzz-fermin_swfbf-32401.27731-8feb34f77321d753.swf

[GoogleCodeExporter]

Original comment by cev...@google.com on 10 Jan 2015 at 3:26

• Added labels: CVE-2015-0308

[GoogleCodeExporter]

Fixed: http://helpx.adobe.com/security/products/flash-player/apsb15-01.html

Original comment by cev...@google.com on 14 Jan 2015 at 12:52

• Changed state: Fixed
• Added labels: Fixed-2015-Jan-13

[GoogleCodeExporter]

Original comment by cev...@google.com on 12 Feb 2015 at 8:11

• Removed labels: Restrict-View-Commit