Credit is to "Jihui Lu of KeenTeam (@K33nTeam), working with the Chromium vulnerability reward program"

Flash player 15.0.0.239 in Chrome 39 Linux x64.

There is a use-after-free in display list handling. I attach a variety of repro cases, which I believe are all the same root cause based on crash stack traces.

The file "display_list_uaf6.swf" does seem to manifest differently and not be as reliable, so it is worth extra checking that any fix fixes this case.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 

display_list_uaf5.swf 1.1 KB Download

display_list_uaf4.as 1.6 KB Download

display_list_uaf4.swf 1.1 KB Download

display_list_uaf3.swf 1.1 KB Download

display_list_uaf5.as 1.6 KB Download

display_list_uaf6.as 1.5 KB Download

display_list_uaf2.as 2.2 KB Download

display_list_uaf2.swf 1.2 KB Download

display_list_uaf6.swf 1.1 KB Download

display_list_uaf3.as 1.8 KB Download