Safari performs an out-of-bounds read when calling the bound function.
c34419dbfdc88927512ecd0928e9ba0ad20ee01eb077380d69ea9fd9a6bd1bc8Safari suffers from a type confusion vulnerability in DateTimeFormat.format.
bcbbe721812e3c9844aa096ccd242bccd99e577311663d34b1850a138057a5eaThe built-in JavaScript in the Safari browser allows Function.caller to be used in strict mode.
1884c9b6bc5c81281bf6c6ce0bb8b15f58a86018597a7480f0520481b1474f57Adobe Flash suffers from a heap overflow vulnerability in AVC header slicing.
fbef41a0db49fefaee13e0da46006ecb460efa8c48004beb4d978126e1febaffAdobe Flash suffers from a heap overflow vulnerability in ATF Planar Decompression.
1f3f4804170f55e0594564e62f7f8b2127c2acfc75e1949445ca48090e930764Adobe Flash suffers from a heap overflow vulnerability in ATF thumbnailing.
c7fb3ad920b9843a00f95e3df1c7cb4d4d12bb712ee93c03c756181ff79a6081Adobe Flash suffers from a use-after-free in MovieClip attach init object.
288bf2654c07f8a5762dbf1c27ee8dd3db7b77c46a21c4e6c32e26490a40cf2eAdobe Flash suffers from an out-of-bounds read in metadata parsing.
f2d169c3f1506cdaaae621fd8675063bc4928c96e812355f017f5911c322d44eAdobe Flash suffers from an overflow vulnerability during MP4 AMF parsing.
975f33074a57e3cfc572b9cf9519a6d3855366d379e71d3cc22b0b38ac580121Adobe Flash suffers from a stack corruption vulnerability using a fuzzed SWF file.
861f5baa072230b7939cd1b63451ce6753e5bfa28f6b0c8f8760db23344f9efdAdobe Flash suffers from a heap overflow vulnerability during YUVPLane decoding.
2bf4e6c3b7be108e8fdfd8baf1d8546149c39e64a4f46c8b3fe36fb7fd6bca33Adobe Flash suffers from a use-after-free vulnerability in applying bitmapfilter.
c3983405af4d8f611ecd50aa0083c83ab68a09eb670364bcd670de0a0063bf60Microsoft Edge suffers from a use-after-free in TypedArray.sort.
11de475950a4aa66ba0d851df8cd28b3240b3556f3a57a242500360bc7b10cf1Microsoft Edge suffers from a type confusion vulnerability in internationalization initialization.
0be320830419d4d413759485f8f9434390d748bbadbe6240c606e8d40c43b5f1Microsoft Edge suffers from an uninitialized memory vulnerability in SIMD.toLocaleString.
643bb73906252ab5624064b3341377969b656d9e7c0942f2729b87dab962bac4Microsoft Edge has an information leak in JSON.parse. If this function is called with a reviver, and the reviver modifies the output object to contain a native array, the Walk function assumes that this array is a Var array, and writes pointers to it. These pointers can then be read out of the array by script.
28aba0b72143b7ea7aebe7de276ebb7d83f377a03b421526aea18446883104b0JavascriptArray::FillFromPrototypes is a method that is used by several Javascript functions available in the browser to set the native elements of an array to the values provide by its prototype. This function calls JavascriptArray::ForEachOwnMissingArrayIndexOfObject with the prototype of the object as a parameter, and if the prototype of the object is an array, it assumes that it is a Var array. While arrays are generally converted to var arrays if they are set as an object's prototype, if an object's prototype is a Proxy object, it can return a parent prototype that is a native int array. This can lead to type confusing, allowing an integer to be treated as an absolute pointer, when JavascriptArray::FillFromPrototypes is called.
101dc4b8ff4f7d1e144aeed9b089ca5fedd08e6c84b3be506d775adb205e3772There is a heap overflow in Array.splice in Chakra. When an array is spliced, and overflow check is performed, but ArraySpeciesCreate, which can execute code and alter the array is called after this. This can allow an Array with boundaries that cause integer overflows to be spliced, leading to heap overflows in several situations.
6a5819407b1a08e3e5fb1fe3572513e26e584b6fd29bae8efb15d284321b36d2There is an overflow when reversing arrays in Chakra. On line 5112 of JavascriptArray::EntryReverse, the length of the array is fetched and stored. It is then passed as a parameter into JavascriptArray::ReverseHelper, which then calls FillFromPrototypes, which can change the size of the array.
51efc1a7f671ca4ab3f0714c3f5a4fe110049441aaaf858fda262b78d884d718There is an info leak in Array.filter. In Chakra, the destination array that arrays are filtered into is initialized using ArraySpeciesCreate, which can create both native and variable arrays. However, the loop that calls the filter function assumes that the destination array is a variable array, and sets each value using DirectSetItemAt, which is unsafe, and can lead to a var pointer being written to an integer array.
b151790aef488a9024d8165bd0cf284b8a3f10045d03d24b0017ec0d7a8eab30In Chakra, function calls can sometimes take an extra internal argument, using the flag CallFlags_ExtraArg. The global eval function makes assumptions about the type of this extra arg, and casts it to a FrameDisplay object. If eval is called from a location in code where an extra parameter is added, for example, a Proxy function trap, and the extra parameter is of a different type, this can lead to type confusion.
d7ea56cd00bb283459fd55c24ac87e4186f692adde4a4facfd812d4b0ca61f2bThe included fuzz test case demonstrates an overflow in rastering for Adobe Flash.
637e42b945221fae8e6dae651bf8b8608a73661c378f35d81a53e8b60128cc71Microsoft Edge suffers from a stack overflow vulnerability in the spread operator.
d00c2fc8649704c35e6a86501516a842f551c272f6170e5abd9360509a2010eeMicrosoft Edge suffers from an Array.map head overflow vulnerability.
bb7df06e67057dfbacb646945da8bb9d1d43a0e5f6bfcc39a8623d35f47993feMicrosoft Edge suffers from a Function.apply information leakage vulnerability.
dbb17a0dd7282cd24f147dc456608a799eff5c1d1b4b3af23f6e0534a00a7768
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed