Researchers have encountered a number of Windows kernel crashes in the ATMFD.DLL OpenType driver while processing corrupted OTF font files.
211858c5b9e08bfdb94ac6f00d553181d66e260d3e96b6772ee5d08a2eeebad8Researchers have encountered a number of Windows kernel crashes in the win32k!scl_ApplyTranslation function while processing corrupted TTF font files.
04fddfcac6b041b9767e037c57308e83d27c063d91368ef64e5e28a5f2f828adThere is a use after free in Flash caused by an improper handling of BitmapData objects in the DisplacementMapFilter.mapBitmap property.
fb9a0a904e45cd0df6256c9beee44fab0c8f0d32abe86dd2ede36f7255957e4dResearchers have encountered a number of Windows kernel crashes in the win32k!itrp_IUP function (a handler of the IUP[] TTF program instruction) while processing corrupted TTF font files.
2da68c42d8b015345141bebfbde7346273991659273a83e794878106ce64e9e5When calling Color.setRGB in AS2 it is possible to free the target_mc object used in the Color constructor while a reference remains in the stack.
025afc3b744a755fe32430c68ff260ef742b1772b907721185ee3c58dbde5b57An access violation occurs in Adobe Flash Player plugin while parsing a mutated swf file.
a9bceda55620d3ed4cd20aec8a272a586fc3442122decbc24a9ba59a81f9b08bAn access violation occurs in Adobe Flash Player plugin while parsing a mutated swf file.
d1b4ab4f8b0404b6ba7f6fd0ce0dddffa431bd6d447a9316b9385e81916c89f2In certain cases where a native AS2 class sets an internal atom to a value, it can lead to a use-after-free if the variable is a SharedObject.
90eacb51d34198b2be5fdbf20c1cbafadb5acc055ea1efde7be967cbaf2262efWhen setting the scrollRect attribute of a MovieClip in AS2 with a custom Rectangle it is possible to free the MovieClip while a reference remains in the stack.
784ff7b73b5ba4aba1ac24bbe51f62d68e8c1405d60181192fb3613898562723There is a use after free in Flash caused by an improper handling of BitmapData objects in the DisplacementMapFilter.mapBitmap property.
2e1c6f0cbff4d283e27bc67ff2c3d6a2f97825e1fb4b4c03692fb92493f675d7In certain cases where a native AS2 class sets an internal variable, it can lead to a use-after-free if the variable is a SharedObject. While this example shows setting NetConnection.contentType, this applies to several other variables including many properties of the Sound and NetStream classes.
988359360be0f5f9adf193f6cd3a04d83c07dd40e147fd6dcd237b7482c3bf8cAn instance of ActionScript's Sound class allows for loading and extracting for further processing any kind of external data, not only sound files. Same-origin policy doesn't apply here. Each input byte of raw data, loaded previously from given URL, is encoded by an unspecified function to the same 8 successive sample blocks of output. The sample block consists of 8 bytes (first 4 bytes for left channel and next 4 bytes for right channel). Only 2 bytes from 8 sound blocks (64 bytes) are crucial, the rest 52 bytes are useless. Each byte of input from range 0-255 has corresponding constant unsigned integer value (a result of encoding), so for decoding purposes you can use simply lookup table (cf. source code from BoundlessTunes.as).
fc4873a13244f4cbc031eca310103bf8bf2dd9f88a4c98659fde47aa2310d88dIf the fpadInfo property of a NetConnection object is a SharedObject, a use-after-free occurs when the property is deleted.
b56d353e5eaa5e4528ff1ffb7dc841c80fd0d96e3e3d63729b195cd39ca14474Three use-after-free proof of concept exploits for Flash.
2e4eefce9ede8e949e02bc78fdf89f165e66883de32412b8f8591292e5d9a762A use-after-free bug exists while setting the TextFilter.filters array.
31a6c05930a52b35dcd3d8092a6d0a8288bfbf9225bc353369358d98b9ab95b8There is a use-after-free issue if the scale9Grid setting is called on an object with a member that then frees display item. This issue occurs for both MovieClips and Buttons, it needs to be fixed in both classes.
80b4a9baafb714f2dd9d49514a0fc66cae5b4722cb091640d14ef74e3e9fafccThis is a OOB read vulnerability when processing the SCRIPTDATASTRING object in Flv file.
b7ac22badf51c7c646164605a8e31a6bc88e7bf96892a72cbd86c59704b16c46
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed