Flash: use-after-free in display list handling

On Windows 8.1 Google Chrome 42.0.2311.90 (Flash 17.0.0.169), crash is like this:

(c10.10a4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Users\X64\AppData\Local\Google\Chrome\Application\42.0.2311.90\PepperFlash\pepflashplayer.dll - 
eax=00000100 ebx=02779058 ecx=00000000 edx=03d97001 esi=026c1170 edi=026c1170
eip=6ba4a5cd esp=0294fd40 ebp=026570e8 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
pepflashplayer!PPP_ShutdownBroker+0x2293da:
6ba4a5cd 83781800        cmp     dword ptr [eax+18h],0 ds:002b:00000118=????????
3:047> k
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
0294fd50 6ba4aa6a pepflashplayer!PPP_ShutdownBroker+0x2293da
00000000 00000000 pepflashplayer!PPP_ShutdownBroker+0x229877
