Flash: use-after-free in display list handling

On Windows 8.1 Google Chrome 42.0.2311.90 (Flash 17.0.0.169), crash is like this:

(1284.10d8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Users\X64\AppData\Local\Google\Chrome\Application\42.0.2311.90\PepperFlash\pepflashplayer.dll - 
eax=02be7428 ebx=02be7428 ecx=02bf6338 edx=00786972 esi=02cd40b0 edi=040dc0b0
eip=00786972 esp=0104e88c ebp=00000000 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
00786972 ??              ???
3:042> k
ChildEBP RetAddr  
WARNING: Frame IP not in any known module. Following frames may be wrong.
0104e888 6bda6381 0x786972
00000000 00000000 pepflashplayer!PPP_ShutdownBroker+0x22518e
