Adobe Flash suffers from an out-of-bounds read when placing an object.
334dac2fca295969639dab502bd3035daec81f42b9e1553b9e228ebd6893bd38Adobe Flash suffers from an out-of-bounds read in JXR processing.
4d2ffcbda8d90e4a9ba2282dc13248570010b43be48803e8ae5383c9bdc1e053There is a use-after-free in URLStream.readObject in Adobe Flash. If the object read is a registered class, the constructor will get invoked to create the object. If the constructor calls URLStream.close, the URLStream will get freed, and then the deserialization function will continue to write to it.
ff1259c633764b7a4794d5334683a4bcf01d89145f1bfec987f03e966c7618a2There is a use-after-free in the TextField.maxChars setter in Adobe Flash. If the maxChars the field is set to is an object with valueOf defined, the valueOf function can free the field's parent object, which is then used.
7a1e6f0aefd065fa5598d8e14351aaea609229d3aa442245f79ee5456d6b33c4The included proof of concept causes a crash in ih264d_process_intra_mb in avc parsing, likely due to incorrect bounds checking in one of the memcpy or memset calls in the method.
59a02eb3367da1b1cbaf20e9656c62e0fd3ded3ac84bdcccdb5cbdcde3f810f7If Color.setTransform in Adobe Flash is set to a transform that deletes the field it is called on, a use-after-free occurs.
737d1b4bab2ed50a128829549d0ea0aa7f0ecba5a9bab13ad24a45666ea8d406Adobe Flash has a heap overflow vulnerability in the Zlib codecs when playing flv files.
08105a5eab48b0c73b46d78b3dac94e27c8f4057fb00f1f9ce4ea6fafd037bdbThere is a use-after-free in Sprite Creation. If a Sprite is created, and then the handler for the frameConstructed event triggers a remove object action, the Sprite is then used after it has been freed.
c39ed19e599f2e87429baaa1420ef1c22c03fa613b8ce27ef51b01a165eed4b8The ActionScript parameter conversion in the fix for an issue in the December Flash bulletin APSB15-32 can sometimes access a parameter on the native stack that is uninitialized.
982e087bae1ff3d75902f159298bed43a1c32bb041ce513c46a96da67786a262The ActionScript parameter conversion in the fix for an issue in the December Flash bulletin APSB15-32 can sometimes access a parameter on the native stack that is uninitialized.
fca666e43ec07be074a4810a7671db92ce36a0d756afde739005726379118d6fThe ActionScript parameter conversion in the fix for Google Security Research issue 403 can sometimes access a parameter on the native stack that is uninitialized.
ccc716718377c7f69a2d68eb3c1540336084d2a28e046619c48fea014951002eThere is a use-after-free in setInterval. If the interval length is an object with valueOf defined, this method gets executed, and can delete the object the interval is being set on.
cc2adc9a2940710a875fafa69fdae84c7e355762d1060554d76af5275b287193There is a use-after-free in Sound.setTransform similar to the one described in CVE-2015-8434. If the transform object provided is an integer primitive, and the Number constructor is overwritten, this constructor will be executed and can free the internal sound transform, which is then written to.
9cf5ceec9d1b8789d8ae0b14a3c45b7fe4d93c657668793da9239af45b02f16dAn included fuzzing case demonstrates a crash in Adobe Flash shape rendering.
efc9af51bcd69cfee5ecf9979add44fc4891f75646247fc53ec96acdedf5bccbThere is a type confusion vulnerability in the SimpleButton constructor. Flash stores an empty button to use to create buttons for optimization reasons. If this object is created using a SWF tag before it is created in the Button class, and it not of type Button, type confusion can occur.
7599e6513ebba54c924cb1897955fa83dea113a866068a2d1b4b039d4ac55dc5There is a type confusion vulnerability in the TextField constructor in AS3. When a TextField is constructed, a generic backing object is created and reused when subsequent TextField objects are created. However, if an object with the same ID has already been created in the SWF, it can be of the wrong type. The constructor contains a check for this situation, though, and throws an exception and sets a flag to shut down the player if this occurs. The backing object is then set to be of type TextField to avoid any modifications that have been made on it by the constructor from causing problems if it is used as an object of its original type elsewhere in the player. However, if the exception thrown by the constructor is caught, the exception handler can create another TextField object, and since the type of the generic backing object has been changed, an object of the wrong type is now backing the TextField, which makes it possible to set the pointers in the object to integer values selected by the attacker. The PoC swf for this issue needs to be created by hand.
89244b28a4549217c3946663d62b8133ad186a92cdb4285eeff70e6a18cdb172There is a dangling pointer that can be read, but not written to in loadPCMFromByteArray. A proof of concept is included.
6a837aeb0f69779cabe3ac91d53929ecab287b6e562f832a1364d2e7e1364980There is a use-after-free in LoadVars.decode. If a watch is set on the object that the parameters are being decoded into, and the watch deletes the object, then other methods are called on the deleted object after it is freed.
fbe2ae5d15b3901564ae333ef65dc05ba1b8f150b143e8b0a87296c853c3503aThe included fuzzing test case causes a crash due to a heap overflow in BitmapData.drawWithQuality.
71eac9af938822ce100e076b77f44a4fc957277d6ed3fc9956efc03536dabb10There is an overflow in the ui::PlatformCursor WebCursor::GetPlatformCursor method in Google Chrome.
bd224e90b919011fec7fdaac0829c431dedd237dd5c4bc4e9724abccb5fe6fb5This jpg file causes an invalid pointer to be freed when media scanning occurs on Samsung Galaxy S6.
c28f5048c94508b781d43243304bf68709181131a5a4fdac2d1d3ce2a45f4842This proof of concept file causes memory corruption when it is scanned by the face recognition library in android.media.process.
f2ebb31f8a063f8972d6266edc011080f62366d4a268e944ad5de5ed57e2d0c6There is a use-after-free vulnerability in Sound.setTransform. If a transform value is set to an object with valueOf defined, it can free the transform before the values are set.
c1ceaaaa99b552103d65a27ff421a1450a5ae32dd9aa482a6a5ee0d3f1498394There is a use-after-free in MovieClip.attachBitmap. If the depth parameter is an object with valueOf defined, this method can free the MovieClip, which is then used.
1a53857646bf613431067a57c39e68fce010b87e4dc0cc01d200ff2bfadd9bebThere is a use-after-free in MovieClip.startDrag. If a parameter an object with valueOf defined, this method can free the MovieClip, which is then used.
e479fa941ff211a21353dd962d4b4fe88a594a11c11379dd4a855f8d02e16580
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed