Adobe Flash Rectangle Return Use-After-Free

Posted by deepcore on August 29, 2016 – 12:18 pm

Several methods in Adobe Flash return instances of the Rectangle class. There is a use-after-free in creating these objects for return. If the this object of the call is a MovieClip, the Rectangle instantiation will run on its thread. If a getter is added to this class’s package, it will be invoked when fetching the rectangle constructor, which can free the method’s thread, which will cause the Rectangle constructor to run on a thread which has been freed.

This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.

« Adobe Flash MovieClip Transform Use-After-Free Edmodo BB #1 – Persistent XSS Web Vulnerability »

:: Deepquest ::

This site contains information which could be considered illegal in some countries. It is provided here for educational use only and is not intended to be used for illegal activities.

Adobe Flash Rectangle Return Use-After-Free

Post a reply

Tabs Switcher

Categories

Archives

Meta

BLOGROLL