The included proof of concept causes a crash in ih264d_process_intra_mb in avc parsing, likely due to incorrect bounds checking in one of the memcpy or memset calls in the method.

There is a use-after-free in the TextField.maxChars setter in Adobe Flash. If the maxChars the field is set to is an object with valueOf defined, the valueOf function can free the field’s parent object, which is then used.

There is a use-after-free in URLStream.readObject in Adobe Flash. If the object read is a registered class, the constructor will get invoked to create the object. If the constructor calls URLStream.close, the URLStream will get freed, and then the deserialization function will continue to write to it.

The included proof of concept crashes Windows 7 with special pool enabled on win32k.sys. The crash is due to accessing memory past the end of a buffer.

The included proof of concept crashes Windows 7 with special pool enabled on win32k.sys. The crashes are triggering in multiple different ways (two examples attached).

This archive contains all of the 196 exploits added to Packet Storm in March, 2016.