Flash: use-after-free in display list handling

On Windows 8.1 Google Chrome 42.0.2311.90 (Flash 17.0.0.169), crash is like this:

(8c4.19f8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Users\X64\AppData\Local\Google\Chrome\Application\42.0.2311.90\PepperFlash\pepflashplayer.dll - 
eax=00000060 ebx=00000001 ecx=0000005c edx=fe63e000 esi=02704040 edi=0266a1b0
eip=773814b2 esp=009fe7d8 ebp=009fe7d8 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
ntdll!RtlEnterCriticalSection+0x12:
773814b2 f00fba3000      lock btr dword ptr [eax],0   ds:002b:00000060=????????
3:042> k
ChildEBP RetAddr  
009fe7d8 6ba8bb84 ntdll!RtlEnterCriticalSection+0x12
WARNING: Stack unwind information not available. Following frames may be wrong.
009fe7f0 6ba8b6cc pepflashplayer!PPP_ShutdownBroker+0x20a991
009fe7f8 6baa6381 pepflashplayer!PPP_ShutdownBroker+0x20a4d9
009fe814 6baa92f1 pepflashplayer!PPP_ShutdownBroker+0x22518e
009fe838 6baac878 pepflashplayer!PPP_ShutdownBroker+0x2280fe
009fe85c 6baac742 pepflashplayer!PPP_ShutdownBroker+0x22b685
009fe8c0 6bdf087a pepflashplayer!PPP_ShutdownBroker+0x22b54f
009fe8e4 6bab82c8 pepflashplayer!PPP_ShutdownBroker+0x56f687
009fe8ec 6b9c052b pepflashplayer!PPP_ShutdownBroker+0x2370d5
00000000 00000000 pepflashplayer!PPP_ShutdownBroker+0x13f338
