If XMLSocket connect is called on an object that already has a destroy function set, such as a BitmapData object, the method will set the user data of that object, but not clear the destroy function. This leads to type confusion when the user data is freed during garbage collection.
95ab8619713493badebfbf2dae76fc13420fcd4f602713b108d2bb448361a346A crash was observed in MS Office 2007 running under Windows 2003 x86. Microsoft Office File Validation Add-In is disabled and application verified was enabled for testing and reproduction. This sample did not reproduce in Office 2010 running on Windows 7 x86. The attached minimized PoC that produces the crash with 2 bit changes from the original file at offsets 0x11E60 and 0x1515F. Standard office document parsers did not reveal any significance about this location.
64642201e34edd3485b55db10852c7ff6216617108d4d18639058079b398f937Adobe Flash suffers from a URL resource use-after-free vulnerability.
b04ff115627b5b76c68978f46ab63e22389ddd834b882f77fa2abc234019242eThere is a type confusion issue in TextRenderer.setAdvancedAntialiasingTable. If the font, insideCutoff or outsideCutoff are set to objects that are not integers, they are still assumed to be integers.
a39594a8976bb4f531c327c7e110dd1c104a7e1916ad2cb698311e6d442f6784There is a use-after-free in CreateTextField in Adobe Flash.
273c349edf06a32073f319cedaeee5bb11cb28bcdc6a8e4ff0b6c4491275e257A heap overflow exists due to a 64-32 integer truncation issue in device/hid/hid_connection_linux.cc.
770ba2318e417025ee29f56a1103dfb964c9deb4f6c83609e26beb78d0effa4fThe proof of concept works by triggering a wild copy in order to demonstrate the crash. But other side-effects are possible such as decrementing the refcount of an out-of-bounds index.
d354b53a4080ae486dd69761b4252b5e10b5e424aae7f11b794443c70d285daaThere is a use-after-free in MovieClip.swapDepths in Adobe Flash.
fdc90abdb1b2a25ee44d0715804979dcd608cbd02e9a1639cbcdf73c438f77f6Researchers have encountered a Windows kernel crash in the win32k!fsc_BLTHoriz function while processing corrupted TTF font files.
5b06b6212cc51d413bdd06023037f42808725455f1165b6efd62121434c36394Researchers have encountered a Windows kernel crash in the win32k!fsc_RemoveDups function while processing corrupted TTF font files.
49ff9762af828d1e6b2e50488ceae9afbbccea4122ec458cc3e8a553d5f7e5aaThe attached sample file, signal_sigsegv_7ffff637297a_8900_e3f87b25c25db8f9ec3c975f8c1211cc.swf, crashes, perhaps relating to XML handling.
4c1acddf8f07f6545317d049c59f4af89211c523cf6ef53842973345239d2469The attached sample, signal_sigsegv_7ffff60a1429_9554_f4dc661554237404dfe394d4c6c3e674.swf, crashes on Linux x64.
576dca8249e5bf441b6ff1587895439d38da0d1c81ab8174fa260345c26a6b1bThe attached sample, signal_sigsegv_7ffff603deef_1525_268381c02bc3b05c84578ebaeafc02f0.swf, typically crashes on Linux x64 build (Flash v17.0.0.188).
fd12f01c9fd51ba81094c5dc05092a2ce0cc36a748d2d389573b850c73ad3728The attached swf file in Google Chrome (Linux x64) will eventually result in dialog offering to terminate the slow script.
17b207be2be2c98b9917a15b28b622575b3a5ea1d9db9361a651b483559ced30A nasty looking crash is manifesting in various different ways under fuzzing, apparently related to drawing and bitmap handling.
e53bbf5ffe51ba5e1ba406eb0b58ff40edd25c9943807440ef21cb92a486578dResearchers have encountered a number of Windows kernel crashes in the ATMFD.DLL OpenType driver while processing corrupted OTF font files.
67e07a94bd3af7f8fb477b9542888d1cf25f1dc629893818446d17a6c15e0452An out-of-bounds memory read occurs when Adobe Flash parses a mutated TTF file embedded in a swf.
3e2118575612a001e7d4cabff18c63bc1b2734d53f9b701a601c82011bcff5beThere is a use after free vulnerability in the ActionScript 2 TextField.filters array property.
c8c4ddb8248e3234cb7f686b990e44c2c471253c71a58e09d477456af6b8c3b9Issues in DefineBitsLossless and DefineBitsLossless2 leads to using uninitialized memory while rendering a picture. This is caused by the returned value of a zlib function not properly checked.
396c2a8d45a861b578261ac35463e414a0c7141b924077f21e2a31daf61bcf90Loading a weird MPD file can corrupt flash player's memory.
838fb72db8a1b4cff405ee11b823ee6860c72fe5b2122b2eea654ffdf46183a5Use After Free in Flash AVSS.setSubscribedTags, setCuePointTags and setSubscribedTagsForBackgroundManifest can be abused to write pointers to String to freed locations.
4fd920218793a46ab9cce3ab98f7a35862ab1c6417a8854638fed40036695f51An integer overflow while calling Function.apply can lead to enter an ActionScript function without correctly validating the supplied arguments. Chrome version 41.0.2272.101 stable with Flash version 17.0.0.134 is affected.
851dccc1f099ae9b266f4f0571a50d127e908035fc85ecbce224da0685db6067Flash suffers from a broker-based sandbox escape.
989036efd58bbccc9c007b2a7121bd6ba170455cc7d74bc71d5f4bbe336962f7Flash suffers from a broker-based sandbox escape.
ff44243af4b26853124e63a9869c6b81f401bc2ad222680958329a437559b8efFlash suffers from a broker-based sandbox escape.
32f8d2576cdd393f19c2a9cdbb6d3476d8fda0611004641c02e347365ebea2ae
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed