There is a use-after-free in the TextField.text setter. If the text the field is set to is an object with toString defined, the toString function can free the field's parent object, which is then used.
9d96d2e8b4ffc7b089507f4b34bf39de753905872b8eb241586c663c985cf67b
There is a use-after-free in the TextField.tabIndex setter. If the integer parameter is an object with valueOf defined, then it can free the TextField's parent, leading to a use-after-free.
0350c0810358682cfb87c4db17446a25f6c8da78348a1edaa5d141e49ebfde1a
There is a use-after-free in MovieClip.attachMovie. If a string parameter has toString defined, a number parameter has valueOf defined or an object parameter has its constructor redefined, it can execute code and free the this object of the method, leading to a use-after-free.
ed4db34e43e3caa36fcc1564a0d73c60bdb53d44cd0b9886a1954a6e86a5fde3
There is a use-after-free issue in MovieClip.localToGlobal. If the Number constructor is overwritten with a new constructor and MovieClip.localToGlobal is called with an integer parameter, the new constructor will get called. If this constructor frees the MovieClip, a use-after-free occurs.
9b00793145cb36766ffc56f7c69bb6851a3d155c2634381ff7926eb04aa8d23d
There is a use-after-free in the TextField antiAliasType setter. If it is set to an object with a toString method that frees the TextField, the property will be written after it is freed.
f871b77faebeff514e1544075f62b5400324200a47c3d190c1c2ac8a6aca0ba5
There is a use-after-free in the TextField gridFitType setter. If it is set to an object with a toString method that frees the TextField, the property will be written after it is freed.
1d54659faa27363193dfbcb808bc3e21e30077689df66a670c2377623bb176bb
There are a number of use-after-frees in MovieClip.lineStyle. If any of the String parameters are an object with toString defined, the toString method can delete the MovieClip, which is subsequently used.
dc11327efa3495f2484c36b444d3176f57ea0b0b33462c5f54c3c68d1fcb1465
There are a number of use-after-free vulnerabilities in MovieClip.beginGradientFill. If the spreadMethod or any other string parameter is an object with toString defined, this method can free the MovieClip, which is then used. Note that many parameters to this function can be used to execute script and free the MovieClip during execution, it is recommended that this issues be fixed with a stale pointer check.
57667d7fb95d4e7f97ac85d9bca8fb59ed26e9075e32e5856e6d205aaaf920f9
This proof of concept exploit triggers a null pointer vulnerability in OffsetChildren on Windows 7 32-bit. By mapping the null page an attacker can leverage this vulnerability to write to an arbitrary address.
930c6248c06d0f17df00bdda4843801b8c2604cfcf1b9138399dbc83fe37120b
This proof of concept exploit triggers a null pointer condition on Windows 7 32-bit, which can potentially be exploited on versions of Windows that allow mapping the null page (e.g. Windows 7 32-bit).
3bf1446b83cdd6c26177a31ebc1b3ce3549d04092ed485e00be882f09bb5eee1
This proof of concept exploit triggers a crash on Windows 7 32-bit with Special Pool enabled on win32k.sys. The kernel crashes due to a use-after-free condition with bitmaps in the clipboard.
01bafe1c271dd2a2ea9fadc32ab4da411c8c4eb30209e6634fd69a20fc0c4443
Samsung Galaxy S6 suffers from a gif parsing crash in Samsung Gallery.
1888e67a728513e8cd393db3e20349262212f24acc1bffc72a4c47bc6d390b05
Samsung Galaxy S6 suffers from a bitmap decoding crash in Samsung Gallery.
b5dfd64ba8ca5fdf49e8b162af363928f2cc6086a53817ac47499c6c57342a90