759 - Adobe Flash: Use-after-free in MovieClip.duplicateMovieClip - project-zero

Starred by 1 user

Status:	Fixed
Owner:	natashenka@google.com
Closed:	May 2016
Cc:	project-...@google.com
Finder-natashenka Deadline-90 Reported-2016-Mar-9 CCProjectZeroMembers Product-Flash Severity-High Vendor-Adobe Finder-mjurczyk CVE-2016-1011

Adobe Flash: Use-after-free in MovieClip.duplicateMovieClip

Project Member Reported by natashenka@google.com, Mar 10 2016

Back to list

There is a use-after-free in MovieClip.duplicateMovieClip.If an action associated with the MovieClip frees the clip provided as the initObject parameter to the call, it will be used after it is freed.A PoC is attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

clone.swf
1.4 KB Download

Project Member Comment 1 by natashenka@google.com, May 5 2016

Labels: -Restrict-View-Commit CVE-2016-1011

Fixed in April update

Project Member Comment 2 by natashenka@google.com, May 16 2016

Status: Fixed

► Sign in to add a comment