There is a use-after-free in the TextField.text setter. If the text the field is set to is an object with toString defined, the toString function can free the field's parent object, which is then used.
9d96d2e8b4ffc7b089507f4b34bf39de753905872b8eb241586c663c985cf67bThere is a use-after-free in the TextField.tabIndex setter. If the integer parameter is an object with valueOf defined, then it can free the TextField's parent, leading to a use-after-free.
0350c0810358682cfb87c4db17446a25f6c8da78348a1edaa5d141e49ebfde1aThere is a use-after-free in MovieClip.attachMovie. If a string parameter has toString defined, a number parameter has valueOf defined or an object parameter has its constructor redefined, it can execute code and free the this object of the method, leading to a use-after-free.
ed4db34e43e3caa36fcc1564a0d73c60bdb53d44cd0b9886a1954a6e86a5fde3There is a use-after-free issue in MovieClip.localToGlobal. If the Number constructor is overwritten with a new constructor and MovieClip.localToGlobal is called with an integer parameter, the new constructor will get called. If this constructor frees the MovieClip, a use-after-free occurs.
9b00793145cb36766ffc56f7c69bb6851a3d155c2634381ff7926eb04aa8d23dThere is a use-after-free in the TextField antiAliasType setter. If it is set to an object with a toString method that frees the TextField, the property will be written after it is freed.
f871b77faebeff514e1544075f62b5400324200a47c3d190c1c2ac8a6aca0ba5There is a use-after-free in the TextField gridFitType setter. If it is set to an object with a toString method that frees the TextField, the property will be written after it is freed.
1d54659faa27363193dfbcb808bc3e21e30077689df66a670c2377623bb176bbThere are a number of use-after-frees in MovieClip.lineStyle. If any of the String parameters are an object with toString defined, the toString method can delete the MovieClip, which is subsequently used.
dc11327efa3495f2484c36b444d3176f57ea0b0b33462c5f54c3c68d1fcb1465There are a number of use-after-free vulnerabilities in MovieClip.beginGradientFill. If the spreadMethod or any other string parameter is an object with toString defined, this method can free the MovieClip, which is then used. Note that many parameters to this function can be used to execute script and free the MovieClip during execution, it is recommended that this issues be fixed with a stale pointer check.
57667d7fb95d4e7f97ac85d9bca8fb59ed26e9075e32e5856e6d205aaaf920f9This proof of concept exploit triggers a null pointer vulnerability in OffsetChildren on Windows 7 32-bit. By mapping the null page an attacker can leverage this vulnerability to write to an arbitrary address.
930c6248c06d0f17df00bdda4843801b8c2604cfcf1b9138399dbc83fe37120bThis proof of concept exploit triggers a null pointer condition on Windows 7 32-bit, which can potentially be exploited on versions of Windows that allow mapping the null page (e.g. Windows 7 32-bit).
3bf1446b83cdd6c26177a31ebc1b3ce3549d04092ed485e00be882f09bb5eee1This proof of concept exploit triggers a crash on Windows 7 32-bit with Special Pool enabled on win32k.sys. The kernel crashes due to a use-after-free condition with bitmaps in the clipboard.
01bafe1c271dd2a2ea9fadc32ab4da411c8c4eb30209e6634fd69a20fc0c4443Samsung Galaxy S6 suffers from a gif parsing crash in Samsung Gallery.
1888e67a728513e8cd393db3e20349262212f24acc1bffc72a4c47bc6d390b05Samsung Galaxy S6 suffers from a bitmap decoding crash in Samsung Gallery.
b5dfd64ba8ca5fdf49e8b162af363928f2cc6086a53817ac47499c6c57342a90
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed