There is an out-of-bounds read in H264 parsing and a fuzzed file is included in this archive. To load, load LoadMP4.swf with the URL parameter file=compute_poc.flv from a remote server.
The included flv file causes stack corruption when loaded into Flash. To use the PoC, load LoadMP42.swf?file=lownull.flv from a remote server.
The included file causes a crash due to a heap overflow, probably due to an issue in ATF processing by the URLStream class.
There is a use-after-free in LoadVars.decode. If a watch is set on the object that the parameters are being decoded into, and the watch deletes the object, then other methods are called on the deleted object after it is freed.
There is a dangling pointer that can be read, but not written to in loadPCMFromByteArray. A proof of concept is included.
There is a type confusion vulnerability in the TextField constructor in AS3. When a TextField is constructed, a generic backing object is created and reused when subsequent TextField objects are created. However, if an object with the same ID has already been created in the SWF, it can be of the wrong type. The constructor […]
The Cisco ASA VPN Portal password recovery page suffers from a cross site scripting vulnerability.