A crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug also reproduced in Office 2010 running on Windows 7 x86. The crash is caused by a 1 bit delta from the original file at offset 0x4A45. OffViz identified this offset as OLESSRoot.DirectoryEntries[100].OLESSDirectoryEntry[20].sidLeft with an original value of 0x00000000 and a fuzzed value of 0x00008000.
1abb29b1bfd3c4155dea845a8f4a1b457d8108a08fdcb085f1548e3efeb296aaThere is a use-after-free in the TextField gridFitType setter.
9cfc47e31890f361abe09b956c4448a09809f5f2f950712ad016beb1ef1a03f2A crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug did not reproduce in Office 2010 running on Windows 7 x86. The attached PoC file will reproduce when Word is closed. However, there were other crashing files (not attached) faulting on the same EIP that did not require Word to be be closed to trigger the crash. This particular PoC did not minimize cleanly and has 666 deltas from the original non-fuzzed file.
1b07b9c7986e7c9c019e444f6094091612c97c9809f57e6a2e72cfe6cd7b5126If XMLSocket connect is called on an object that already has a destroy function set, such as a BitmapData object, the method will set the user data of that object, but not clear the destroy function. This leads to type confusion when the user data is freed during garbage collection.
95ab8619713493badebfbf2dae76fc13420fcd4f602713b108d2bb448361a346A crash was observed in MS Office 2007 running under Windows 2003 x86. Microsoft Office File Validation Add-In is disabled and application verified was enabled for testing and reproduction. This sample did not reproduce in Office 2010 running on Windows 7 x86. The attached minimized PoC that produces the crash with 2 bit changes from the original file at offsets 0x11E60 and 0x1515F. Standard office document parsers did not reveal any significance about this location.
64642201e34edd3485b55db10852c7ff6216617108d4d18639058079b398f937Adobe Flash suffers from a URL resource use-after-free vulnerability.
b04ff115627b5b76c68978f46ab63e22389ddd834b882f77fa2abc234019242eThere is a type confusion issue in TextRenderer.setAdvancedAntialiasingTable. If the font, insideCutoff or outsideCutoff are set to objects that are not integers, they are still assumed to be integers.
a39594a8976bb4f531c327c7e110dd1c104a7e1916ad2cb698311e6d442f6784There is a use-after-free in CreateTextField in Adobe Flash.
273c349edf06a32073f319cedaeee5bb11cb28bcdc6a8e4ff0b6c4491275e257A heap overflow exists due to a 64-32 integer truncation issue in device/hid/hid_connection_linux.cc.
770ba2318e417025ee29f56a1103dfb964c9deb4f6c83609e26beb78d0effa4fThe proof of concept works by triggering a wild copy in order to demonstrate the crash. But other side-effects are possible such as decrementing the refcount of an out-of-bounds index.
d354b53a4080ae486dd69761b4252b5e10b5e424aae7f11b794443c70d285daaThere is a use-after-free in MovieClip.swapDepths in Adobe Flash.
fdc90abdb1b2a25ee44d0715804979dcd608cbd02e9a1639cbcdf73c438f77f6Researchers have encountered a Windows kernel crash in the win32k!fsc_BLTHoriz function while processing corrupted TTF font files.
5b06b6212cc51d413bdd06023037f42808725455f1165b6efd62121434c36394Researchers have encountered a Windows kernel crash in the win32k!fsc_RemoveDups function while processing corrupted TTF font files.
49ff9762af828d1e6b2e50488ceae9afbbccea4122ec458cc3e8a553d5f7e5aaThe attached sample file, signal_sigsegv_7ffff637297a_8900_e3f87b25c25db8f9ec3c975f8c1211cc.swf, crashes, perhaps relating to XML handling.
4c1acddf8f07f6545317d049c59f4af89211c523cf6ef53842973345239d2469The attached sample, signal_sigsegv_7ffff60a1429_9554_f4dc661554237404dfe394d4c6c3e674.swf, crashes on Linux x64.
576dca8249e5bf441b6ff1587895439d38da0d1c81ab8174fa260345c26a6b1bThe attached sample, signal_sigsegv_7ffff603deef_1525_268381c02bc3b05c84578ebaeafc02f0.swf, typically crashes on Linux x64 build (Flash v17.0.0.188).
fd12f01c9fd51ba81094c5dc05092a2ce0cc36a748d2d389573b850c73ad3728The attached swf file in Google Chrome (Linux x64) will eventually result in dialog offering to terminate the slow script.
17b207be2be2c98b9917a15b28b622575b3a5ea1d9db9361a651b483559ced30A nasty looking crash is manifesting in various different ways under fuzzing, apparently related to drawing and bitmap handling.
e53bbf5ffe51ba5e1ba406eb0b58ff40edd25c9943807440ef21cb92a486578dResearchers have encountered a number of Windows kernel crashes in the ATMFD.DLL OpenType driver while processing corrupted OTF font files.
67e07a94bd3af7f8fb477b9542888d1cf25f1dc629893818446d17a6c15e0452An out-of-bounds memory read occurs when Adobe Flash parses a mutated TTF file embedded in a swf.
3e2118575612a001e7d4cabff18c63bc1b2734d53f9b701a601c82011bcff5beThere is a use after free vulnerability in the ActionScript 2 TextField.filters array property.
c8c4ddb8248e3234cb7f686b990e44c2c471253c71a58e09d477456af6b8c3b9Issues in DefineBitsLossless and DefineBitsLossless2 leads to using uninitialized memory while rendering a picture. This is caused by the returned value of a zlib function not properly checked.
396c2a8d45a861b578261ac35463e414a0c7141b924077f21e2a31daf61bcf90Loading a weird MPD file can corrupt flash player's memory.
838fb72db8a1b4cff405ee11b823ee6860c72fe5b2122b2eea654ffdf46183a5Use After Free in Flash AVSS.setSubscribedTags, setCuePointTags and setSubscribedTagsForBackgroundManifest can be abused to write pointers to String to freed locations.
4fd920218793a46ab9cce3ab98f7a35862ab1c6417a8854638fed40036695f51An integer overflow while calling Function.apply can lead to enter an ActionScript function without correctly validating the supplied arguments. Chrome version 41.0.2272.101 stable with Flash version 17.0.0.134 is affected.
851dccc1f099ae9b266f4f0571a50d127e908035fc85ecbce224da0685db6067
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed