If XMLSocket connect is called on an object that already has a destroy function set, such as a BitmapData object, the method will set the user data of that object, but not clear the destroy function. This leads to type confusion when the user data is freed during garbage collection.
A sample SWF is attached, it only works on Chrome and the standalone flash player. Note that the object that connect is called on is only in a bad state for a brief window (after the user data is set, but before the connect callback is called), and a crash will only occur if GC occurs during this window.
The issue is triggered by the following code:
var f = new flash.display.BitmapData(1000,1000,true, 1000);
flash.Lib._root._global.ASnative(400, 0).call(f, "74.125.239.129", 9999); //XMLSocket.connect
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
