Adobe Flash suffers from an out-of-bounds read when placing an object.
334dac2fca295969639dab502bd3035daec81f42b9e1553b9e228ebd6893bd38
Adobe Flash suffers from an out-of-bounds read in JXR processing.
4d2ffcbda8d90e4a9ba2282dc13248570010b43be48803e8ae5383c9bdc1e053
There is a use-after-free in URLStream.readObject in Adobe Flash. If the object read is a registered class, the constructor will get invoked to create the object. If the constructor calls URLStream.close, the URLStream will get freed, and then the deserialization function will continue to write to it.
ff1259c633764b7a4794d5334683a4bcf01d89145f1bfec987f03e966c7618a2
There is a use-after-free in the TextField.maxChars setter in Adobe Flash. If the maxChars the field is set to is an object with valueOf defined, the valueOf function can free the field's parent object, which is then used.
7a1e6f0aefd065fa5598d8e14351aaea609229d3aa442245f79ee5456d6b33c4
The included proof of concept causes a crash in ih264d_process_intra_mb in avc parsing, likely due to incorrect bounds checking in one of the memcpy or memset calls in the method.
59a02eb3367da1b1cbaf20e9656c62e0fd3ded3ac84bdcccdb5cbdcde3f810f7
If Color.setTransform in Adobe Flash is set to a transform that deletes the field it is called on, a use-after-free occurs.
737d1b4bab2ed50a128829549d0ea0aa7f0ecba5a9bab13ad24a45666ea8d406
Adobe Flash has a heap overflow vulnerability in the Zlib codecs when playing flv files.
08105a5eab48b0c73b46d78b3dac94e27c8f4057fb00f1f9ce4ea6fafd037bdb
There is a use-after-free in Sprite Creation. If a Sprite is created, and then the handler for the frameConstructed event triggers a remove object action, the Sprite is then used after it has been freed.
c39ed19e599f2e87429baaa1420ef1c22c03fa613b8ce27ef51b01a165eed4b8
The ActionScript parameter conversion in the fix for an issue in the December Flash bulletin APSB15-32 can sometimes access a parameter on the native stack that is uninitialized.
982e087bae1ff3d75902f159298bed43a1c32bb041ce513c46a96da67786a262
The ActionScript parameter conversion in the fix for an issue in the December Flash bulletin APSB15-32 can sometimes access a parameter on the native stack that is uninitialized.
fca666e43ec07be074a4810a7671db92ce36a0d756afde739005726379118d6f
The ActionScript parameter conversion in the fix for Google Security Research issue 403 can sometimes access a parameter on the native stack that is uninitialized.
ccc716718377c7f69a2d68eb3c1540336084d2a28e046619c48fea014951002e
There is a use-after-free in setInterval. If the interval length is an object with valueOf defined, this method gets executed, and can delete the object the interval is being set on.
cc2adc9a2940710a875fafa69fdae84c7e355762d1060554d76af5275b287193
There is a use-after-free in Sound.setTransform similar to the one described in CVE-2015-8434. If the transform object provided is an integer primitive, and the Number constructor is overwritten, this constructor will be executed and can free the internal sound transform, which is then written to.
9cf5ceec9d1b8789d8ae0b14a3c45b7fe4d93c657668793da9239af45b02f16d
An included fuzzing case demonstrates a crash in Adobe Flash shape rendering.
efc9af51bcd69cfee5ecf9979add44fc4891f75646247fc53ec96acdedf5bccb
There is a type confusion vulnerability in the SimpleButton constructor. Flash stores an empty button to use to create buttons for optimization reasons. If this object is created using a SWF tag before it is created in the Button class, and it not of type Button, type confusion can occur.
7599e6513ebba54c924cb1897955fa83dea113a866068a2d1b4b039d4ac55dc5
There is a type confusion vulnerability in the TextField constructor in AS3. When a TextField is constructed, a generic backing object is created and reused when subsequent TextField objects are created. However, if an object with the same ID has already been created in the SWF, it can be of the wrong type. The constructor contains a check for this situation, though, and throws an exception and sets a flag to shut down the player if this occurs. The backing object is then set to be of type TextField to avoid any modifications that have been made on it by the constructor from causing problems if it is used as an object of its original type elsewhere in the player. However, if the exception thrown by the constructor is caught, the exception handler can create another TextField object, and since the type of the generic backing object has been changed, an object of the wrong type is now backing the TextField, which makes it possible to set the pointers in the object to integer values selected by the attacker. The PoC swf for this issue needs to be created by hand.
89244b28a4549217c3946663d62b8133ad186a92cdb4285eeff70e6a18cdb172
There is a dangling pointer that can be read, but not written to in loadPCMFromByteArray. A proof of concept is included.
6a837aeb0f69779cabe3ac91d53929ecab287b6e562f832a1364d2e7e1364980
There is a use-after-free in LoadVars.decode. If a watch is set on the object that the parameters are being decoded into, and the watch deletes the object, then other methods are called on the deleted object after it is freed.
fbe2ae5d15b3901564ae333ef65dc05ba1b8f150b143e8b0a87296c853c3503a
The included fuzzing test case causes a crash due to a heap overflow in BitmapData.drawWithQuality.
71eac9af938822ce100e076b77f44a4fc957277d6ed3fc9956efc03536dabb10
There is an overflow in the ui::PlatformCursor WebCursor::GetPlatformCursor method in Google Chrome.
bd224e90b919011fec7fdaac0829c431dedd237dd5c4bc4e9724abccb5fe6fb5
This jpg file causes an invalid pointer to be freed when media scanning occurs on Samsung Galaxy S6.
c28f5048c94508b781d43243304bf68709181131a5a4fdac2d1d3ce2a45f4842
This proof of concept file causes memory corruption when it is scanned by the face recognition library in android.media.process.
f2ebb31f8a063f8972d6266edc011080f62366d4a268e944ad5de5ed57e2d0c6
There is a use-after-free vulnerability in Sound.setTransform. If a transform value is set to an object with valueOf defined, it can free the transform before the values are set.
c1ceaaaa99b552103d65a27ff421a1450a5ae32dd9aa482a6a5ee0d3f1498394
There is a use-after-free in MovieClip.attachBitmap. If the depth parameter is an object with valueOf defined, this method can free the MovieClip, which is then used.
1a53857646bf613431067a57c39e68fce010b87e4dc0cc01d200ff2bfadd9beb
There is a use-after-free in MovieClip.startDrag. If a parameter an object with valueOf defined, this method can free the MovieClip, which is then used.
e479fa941ff211a21353dd962d4b4fe88a594a11c11379dd4a855f8d02e16580