Adobe Flash TextField.gridFitType Setter - Use-After-Free

Source: https://code.google.com/p/google-security-research/issues/detail?id=559 There is a use-after-free in the TextField gridFitType setter. If it is set to an object with a toString method that frees the TextField, the property will be written after it is freed. A PoC is as follows: var toptf ...