A crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug also reproduced in Office 2010 running on Windows 7 x86. The crash is caused by a 1 bit delta from the original file at offset 0x4A45. OffViz identified this offset as OLESSRoot.DirectoryEntries[100].OLESSDirectoryEntry[20].sidLeft with an original value of 0x00000000 and a fuzzed value of 0x00008000.
1abb29b1bfd3c4155dea845a8f4a1b457d8108a08fdcb085f1548e3efeb296aa
There is a use-after-free in the TextField gridFitType setter.
9cfc47e31890f361abe09b956c4448a09809f5f2f950712ad016beb1ef1a03f2
A crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug did not reproduce in Office 2010 running on Windows 7 x86. The attached PoC file will reproduce when Word is closed. However, there were other crashing files (not attached) faulting on the same EIP that did not require Word to be be closed to trigger the crash. This particular PoC did not minimize cleanly and has 666 deltas from the original non-fuzzed file.
1b07b9c7986e7c9c019e444f6094091612c97c9809f57e6a2e72cfe6cd7b5126
If XMLSocket connect is called on an object that already has a destroy function set, such as a BitmapData object, the method will set the user data of that object, but not clear the destroy function. This leads to type confusion when the user data is freed during garbage collection.
95ab8619713493badebfbf2dae76fc13420fcd4f602713b108d2bb448361a346
A crash was observed in MS Office 2007 running under Windows 2003 x86. Microsoft Office File Validation Add-In is disabled and application verified was enabled for testing and reproduction. This sample did not reproduce in Office 2010 running on Windows 7 x86. The attached minimized PoC that produces the crash with 2 bit changes from the original file at offsets 0x11E60 and 0x1515F. Standard office document parsers did not reveal any significance about this location.
64642201e34edd3485b55db10852c7ff6216617108d4d18639058079b398f937
Adobe Flash suffers from a URL resource use-after-free vulnerability.
b04ff115627b5b76c68978f46ab63e22389ddd834b882f77fa2abc234019242e
There is a type confusion issue in TextRenderer.setAdvancedAntialiasingTable. If the font, insideCutoff or outsideCutoff are set to objects that are not integers, they are still assumed to be integers.
a39594a8976bb4f531c327c7e110dd1c104a7e1916ad2cb698311e6d442f6784
There is a use-after-free in CreateTextField in Adobe Flash.
273c349edf06a32073f319cedaeee5bb11cb28bcdc6a8e4ff0b6c4491275e257
A heap overflow exists due to a 64-32 integer truncation issue in device/hid/hid_connection_linux.cc.
770ba2318e417025ee29f56a1103dfb964c9deb4f6c83609e26beb78d0effa4f
The proof of concept works by triggering a wild copy in order to demonstrate the crash. But other side-effects are possible such as decrementing the refcount of an out-of-bounds index.
d354b53a4080ae486dd69761b4252b5e10b5e424aae7f11b794443c70d285daa
There is a use-after-free in MovieClip.swapDepths in Adobe Flash.
fdc90abdb1b2a25ee44d0715804979dcd608cbd02e9a1639cbcdf73c438f77f6
Researchers have encountered a Windows kernel crash in the win32k!fsc_BLTHoriz function while processing corrupted TTF font files.
5b06b6212cc51d413bdd06023037f42808725455f1165b6efd62121434c36394
Researchers have encountered a Windows kernel crash in the win32k!fsc_RemoveDups function while processing corrupted TTF font files.
49ff9762af828d1e6b2e50488ceae9afbbccea4122ec458cc3e8a553d5f7e5aa
The attached sample file, signal_sigsegv_7ffff637297a_8900_e3f87b25c25db8f9ec3c975f8c1211cc.swf, crashes, perhaps relating to XML handling.
4c1acddf8f07f6545317d049c59f4af89211c523cf6ef53842973345239d2469
The attached sample, signal_sigsegv_7ffff60a1429_9554_f4dc661554237404dfe394d4c6c3e674.swf, crashes on Linux x64.
576dca8249e5bf441b6ff1587895439d38da0d1c81ab8174fa260345c26a6b1b
The attached sample, signal_sigsegv_7ffff603deef_1525_268381c02bc3b05c84578ebaeafc02f0.swf, typically crashes on Linux x64 build (Flash v17.0.0.188).
fd12f01c9fd51ba81094c5dc05092a2ce0cc36a748d2d389573b850c73ad3728
The attached swf file in Google Chrome (Linux x64) will eventually result in dialog offering to terminate the slow script.
17b207be2be2c98b9917a15b28b622575b3a5ea1d9db9361a651b483559ced30
A nasty looking crash is manifesting in various different ways under fuzzing, apparently related to drawing and bitmap handling.
e53bbf5ffe51ba5e1ba406eb0b58ff40edd25c9943807440ef21cb92a486578d
Researchers have encountered a number of Windows kernel crashes in the ATMFD.DLL OpenType driver while processing corrupted OTF font files.
67e07a94bd3af7f8fb477b9542888d1cf25f1dc629893818446d17a6c15e0452
An out-of-bounds memory read occurs when Adobe Flash parses a mutated TTF file embedded in a swf.
3e2118575612a001e7d4cabff18c63bc1b2734d53f9b701a601c82011bcff5be
There is a use after free vulnerability in the ActionScript 2 TextField.filters array property.
c8c4ddb8248e3234cb7f686b990e44c2c471253c71a58e09d477456af6b8c3b9
Issues in DefineBitsLossless and DefineBitsLossless2 leads to using uninitialized memory while rendering a picture. This is caused by the returned value of a zlib function not properly checked.
396c2a8d45a861b578261ac35463e414a0c7141b924077f21e2a31daf61bcf90
Loading a weird MPD file can corrupt flash player's memory.
838fb72db8a1b4cff405ee11b823ee6860c72fe5b2122b2eea654ffdf46183a5
Use After Free in Flash AVSS.setSubscribedTags, setCuePointTags and setSubscribedTagsForBackgroundManifest can be abused to write pointers to String to freed locations.
4fd920218793a46ab9cce3ab98f7a35862ab1c6417a8854638fed40036695f51
An integer overflow while calling Function.apply can lead to enter an ActionScript function without correctly validating the supplied arguments. Chrome version 41.0.2272.101 stable with Flash version 17.0.0.134 is affected.
851dccc1f099ae9b266f4f0571a50d127e908035fc85ecbce224da0685db6067