There are a number of use-after-frees in MovieClip.lineStyle. If any of the String parameters are an object with toString defined, the toString method can delete the MovieClip, which is subsequently…
>> ARCHIVE: 2015-12
There is a use-after-free in the TextField gridFitType setter. If it is set to an object with a toString method that frees the TextField, the property will be written after…
There is a use-after-free in the TextField antiAliasType setter. If it is set to an object with a toString method that frees the TextField, the property will be written after…
There is a use-after-free issue in MovieClip.localToGlobal. If the Number constructor is overwritten with a new constructor and MovieClip.localToGlobal is called with an integer parameter, the new constructor will get…
There is a use-after-free in MovieClip.attachMovie. If a string parameter has toString defined, a number parameter has valueOf defined or an object parameter has its constructor redefined, it can execute…
There is a use-after-free in the TextField.tabIndex setter. If the integer parameter is an object with valueOf defined, then it can free the TextField’s parent, leading to a use-after-free.
There is a use-after-free in the TextField.text setter. If the text the field is set to is an object with toString defined, the toString function can free the field’s parent…
There is a use-after-free in the TextField.type setter. If the type the field is set to is an object with toString defined, the toString function can free the field’s parent…
There is a use-after-free in the TextField.htmlText setter. If the htmlText the field is set to is an object with toString defined, the toString function can free the field’s parent…
There is a use-after-free in the TextField.variable setter. If the variable name that is added is an object with toString defined, the toString function can free the field’s parent object,…