There is a use-after-free in MovieClip.duplicateMovieClip. If the depth or movie name parameter provided is an object with toString or valueOf defined, this method can free the MovieClip, which is then used.
e936ec48ce119179fb911647dd9431f43776db694735d18ab919a4433fa1ad4cThere is a use-after-free in Selection.SetSelection. If it is called with a number parameter, which is an object with valueOf defined, and this function frees the parent of the TextField parameter, the object is used after it is freed. A minimal PoC follows:
217561bd45b3c92552115daee855b258b298674d8c5a5b4f03c0a9d14d073306There is a use-after-free in the TextField sharpness setter. If the sharpness parameter is an object with valueOf set to a function which frees the TextField parent, it is used after it is freed.
7493a0885f46ddf809858c9ad8b0a46b185be83cdcbfa026ae184f5993e961afThere is a use-after-free in the TextField thickness setter. If the thickness parameter is an object with valueOf set to a function which frees the TextField parent, it is used after it is freed.
e4ff4a515fcc1862e4b29c13c2a15404c86f2cea6d2fa31892a1c1a54d5ba8daThe TextField setFormat method contains a use-after-free. If an integer parameter has valueOf defined, or the object parameter overrides a constructor, this method can free the TextField parent, which is subsequently used.
4fa2435bebe5f4be1d84b27026f8d38e6eabd6157f6c7f69688afb3aa6b813d3There is a use-after-free in the TextField.replaceText function. If the function is called with a string parameter with toString defined, or an integer parameter with valueOf defined, the parent object of the TextField can be used after it is freed.
e63876f27dc914022bc2a7ed2d30bcba34c54e4c16104e2d22aad1102cd2ffe5If a TextField variable is set to a value with toString defined, and the TextField is updated, a use-after-free can occur if the toString method frees the TextField's parent.
fa786f1b3cea6369a32618396207c3f49ff8358de6197ac6e9ef01f923f571baThere is a use-after-free in the TextField.variable setter. If the variable name that is added is an object with toString defined, the toString function can free the field's parent object, which is then used.
4de2d91bb0dbd6bbc048520404458cb628a85da2c406af413c7929cab76e2043There is a use-after-free in the TextField.htmlText setter. If the htmlText the field is set to is an object with toString defined, the toString function can free the field's parent object, which is then used.
39b8e75529854b070a0167968d45644015d1438839c8c17f23d3530833c4c010There is a use-after-free in the TextField.type setter. If the type the field is set to is an object with toString defined, the toString function can free the field's parent object, which is then used.
84ef1515971853553ba9bdb9a67b2d84ff1c244114ce6d34410b1e7d00c55714There is a use-after-free in the TextField.text setter. If the text the field is set to is an object with toString defined, the toString function can free the field's parent object, which is then used.
9d96d2e8b4ffc7b089507f4b34bf39de753905872b8eb241586c663c985cf67bThere is a use-after-free in the TextField.tabIndex setter. If the integer parameter is an object with valueOf defined, then it can free the TextField's parent, leading to a use-after-free.
0350c0810358682cfb87c4db17446a25f6c8da78348a1edaa5d141e49ebfde1aThere is a use-after-free in MovieClip.attachMovie. If a string parameter has toString defined, a number parameter has valueOf defined or an object parameter has its constructor redefined, it can execute code and free the this object of the method, leading to a use-after-free.
ed4db34e43e3caa36fcc1564a0d73c60bdb53d44cd0b9886a1954a6e86a5fde3There is a use-after-free issue in MovieClip.localToGlobal. If the Number constructor is overwritten with a new constructor and MovieClip.localToGlobal is called with an integer parameter, the new constructor will get called. If this constructor frees the MovieClip, a use-after-free occurs.
9b00793145cb36766ffc56f7c69bb6851a3d155c2634381ff7926eb04aa8d23dThere is a use-after-free in the TextField antiAliasType setter. If it is set to an object with a toString method that frees the TextField, the property will be written after it is freed.
f871b77faebeff514e1544075f62b5400324200a47c3d190c1c2ac8a6aca0ba5There is a use-after-free in the TextField gridFitType setter. If it is set to an object with a toString method that frees the TextField, the property will be written after it is freed.
1d54659faa27363193dfbcb808bc3e21e30077689df66a670c2377623bb176bbThere are a number of use-after-frees in MovieClip.lineStyle. If any of the String parameters are an object with toString defined, the toString method can delete the MovieClip, which is subsequently used.
dc11327efa3495f2484c36b444d3176f57ea0b0b33462c5f54c3c68d1fcb1465There are a number of use-after-free vulnerabilities in MovieClip.beginGradientFill. If the spreadMethod or any other string parameter is an object with toString defined, this method can free the MovieClip, which is then used. Note that many parameters to this function can be used to execute script and free the MovieClip during execution, it is recommended that this issues be fixed with a stale pointer check.
57667d7fb95d4e7f97ac85d9bca8fb59ed26e9075e32e5856e6d205aaaf920f9Samsung Galaxy S6 suffers from a gif parsing crash in Samsung Gallery.
1888e67a728513e8cd393db3e20349262212f24acc1bffc72a4c47bc6d390b05Samsung Galaxy S6 suffers from a bitmap decoding crash in Samsung Gallery.
b5dfd64ba8ca5fdf49e8b162af363928f2cc6086a53817ac47499c6c57342a90The FireEye MPS (Malware Protection System) is vulnerable to a remote code execution vulnerability, simply from monitoring hostile traffic. FireEye is designed to operate as a passive network tap, so that it can see all the files and emails that enter a monitored network. This vulnerability allows an attacker to compromise the FireEye device, get a root shell and start monitoring all traffic on the victim network (emails, attachments, downloads, web browsing, etc). This is about the worst possible vulnerability that you can imagine for a FireEye user, it literally does not get worse than this.
5b71a70797f1a740a3f3bf38f4315c8da4214ac349a05291753b4222407a507fIf IExternalizable.readExternal is overridden with a value that is not a function, Flash assumes it is a function even though it is not one. This leads to execution of a 'method' outside of the ActionScript object's ActionScript vtable, leading to memory corruption.
737efddab602eec39d06bc429fedf7225e7faf8def073ec48a4f8043b9874e33There is a type confusion issue during serialization if ObjectEncoder.dynamicPropertyWriter is overridden with a value that is not a function.
625ab1bc7c4d776092e3752495889f2493737fe86bdd8d69ac60ec2b69f50ef2Samsung Galaxy S6 Android.media.process face recognition memory corruption proof of concept exploit.
a5e7dfca54ad57cd87ac2d393d7a5abcda17cd922cada6c71474e80ae98e77e0Samsung LibQjpeg suffers from a memory corruption vulnerability in the DCMProvider service when decoding an image.
5ac160d206c75cc91f847a1d4b2392558060e7cff39dcd58682c6c240637d514
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed