The user data and destroy func of an object can be made inconsistent by calling the superconstructor (method super) more than once. For example if a class extends BitmapData and its constructor contains the following code:
super();
this.__proto__= {};
this.__proto__.__constructor__ = String;
super("test");
The object's user data and destroy function will be set for type BitmapData when super is first called, and then its user data will be set for type String when the superconstructor is called the second time. This will leave the object with String user data, but the BitmapData destroy func, which will lead to type confusion when the object is freed.
A sample swf and code is attached. To reproduce, click the purple button (this is for ease of analysis, the bug does not require user interaction). POC was tested on Chrome and Firefox.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
