Samsung Galaxy S6 LibQjpeg memory corruption proof of concept exploit.
00a3e0053aaaff6e526e5ce32b3ddb9478f66295e94d52e198a75a61fc3556edLibstagefright integer overflow checks can be bypassed with extended chunk lengths.
15eceaf95482d14e738ec82c591c2ef6f10dc84faa2b08d52245a8476148b162If IExternalizable.writeExternal is overridden with a value that is not a function, Flash assumes it is a function even though it is not one. This leads to execution of a 'method' outside of the ActionScript object's ActionScript vtable, leading to memory corruption.
c2857430db2e3817f2560860b2cb61ba6870519540ac7fa7ad196cee951f2afaIf an mp3 file contains compressed ID3 data that is larger than 0x2aaaaaaa bytes, an integer overflow will occur in allocating the buffer to contain its converted string data, leading to a large copy into a small buffer. A sample fla, swf and mp3 are attached. Put id34.swf and tag.mp3 in the same folder to reproduce the issue. This issue only works on 64 bit platforms.
35155caf981a1919c824478ec4353bf7b0386be80fed9f35592dd6d487b2c05cThe Shared Object constructor does not check that the object it is provided is of type Object before setting it to be of type SharedObject. This can cause problems if another method (such as Sound.loadSound) calls into script between checking the input object type, and casting its native object.
19f7464f744154d2d6dd211423377f3e324df119f1b2817fad6a0f7b4e6ae5f4There is a type confusion issue in the TextFormat constructor that is reachable because the FileReference constructor does not verify that the incoming object is of type Object (it only checks that the object is not native backed). The TextFormat constructor first sets a new object to type TextFormat, and then calls into script several times before setting the native backing object. If one of these script calls then calls into the FileReference constructor, the object can be set to type FileReference, and then the native object will be set to the TextFormat, leading to type confusion.
913b0be9845adb6b994362bb787074269b6c1eeb7980d5b0f158933108a65e1aThere is a use-after-free in the TextField gridFitType setter.
9cfc47e31890f361abe09b956c4448a09809f5f2f950712ad016beb1ef1a03f2If XMLSocket connect is called on an object that already has a destroy function set, such as a BitmapData object, the method will set the user data of that object, but not clear the destroy function. This leads to type confusion when the user data is freed during garbage collection.
95ab8619713493badebfbf2dae76fc13420fcd4f602713b108d2bb448361a346There is a type confusion issue in TextRenderer.setAdvancedAntialiasingTable. If the font, insideCutoff or outsideCutoff are set to objects that are not integers, they are still assumed to be integers.
a39594a8976bb4f531c327c7e110dd1c104a7e1916ad2cb698311e6d442f6784There is a use-after-free in CreateTextField in Adobe Flash.
273c349edf06a32073f319cedaeee5bb11cb28bcdc6a8e4ff0b6c4491275e257There is a use-after-free in MovieClip.swapDepths in Adobe Flash.
fdc90abdb1b2a25ee44d0715804979dcd608cbd02e9a1639cbcdf73c438f77f6In certain cases where a native AS2 class sets an internal atom to a value, it can lead to a use-after-free if the variable is a SharedObject.
90eacb51d34198b2be5fdbf20c1cbafadb5acc055ea1efde7be967cbaf2262efIn certain cases where a native AS2 class sets an internal variable, it can lead to a use-after-free if the variable is a SharedObject. While this example shows setting NetConnection.contentType, this applies to several other variables including many properties of the Sound and NetStream classes.
988359360be0f5f9adf193f6cd3a04d83c07dd40e147fd6dcd237b7482c3bf8cIf the fpadInfo property of a NetConnection object is a SharedObject, a use-after-free occurs when the property is deleted.
b56d353e5eaa5e4528ff1ffb7dc841c80fd0d96e3e3d63729b195cd39ca14474There is a use-after-free issue if the scale9Grid setting is called on an object with a member that then frees display item. This issue occurs for both MovieClips and Buttons, it needs to be fixed in both classes.
80b4a9baafb714f2dd9d49514a0fc66cae5b4722cb091640d14ef74e3e9fafccIf a watch is set on the childNodes object of an XML object, and then the XML object is manipulated in a way that causes its child nodes to be enumerated, the watch will trigger. If the function in the watch deletes all the child nodes, the buffer containing the nodes will be deleted, even though the original function will still access it when it unwinds. This can lead to a childnodes array in ActionScript containing pointers that can be specified by an attacker.
1295da6dedc93d6a1fe5a27a6f5a706c9506fa2c29602370bf75f3ab7f7f7165There is a use-after-free in attachMovie due to the initObject. If the initObject contains an object that calls a method that deletes the movie clip that is being attached, a use-after-free occurs.
90bd26fa45bf4967bccd506cc65201e1553ca1b0810ffe60271cde208371b15bThere are use-after-frees related to storing a single pointer (this this pointer) in several MovieClip drawing methods, including beginFill, beginBitmapFill, beginGradientFill, linGradientStyle, lineTo, moveTo, curveTo and lineStyle.
eb82146aef2be66c90cc556f2ab77a11428236e2b722274ee758243d8ec6b0e3
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed