>> CATEGORY: exploit

The Vulnerability Laboratory Core Research Team discovered an application-side input validation web vulnerability in the official ifixit online service web-application.

There is a type confusion vulnerability in the TextField constructor in AS3. When a TextField is constructed, a generic backing object is created and reused when subsequent TextField objects are…

There is a dangling pointer that can be read, but not written to in loadPCMFromByteArray. A proof of concept is included.

There is a use-after-free in LoadVars.decode. If a watch is set on the object that the parameters are being decoded into, and the watch deletes the object, then other methods…

The included file causes a crash due to a heap overflow, probably due to an issue in ATF processing by the URLStream class.

The included flv file causes stack corruption when loaded into Flash. To use the PoC, load LoadMP42.swf?file=lownull.flv from a remote server.

There is an out-of-bounds read in H264 parsing and a fuzzed file is included in this archive. To load, load LoadMP4.swf with the URL parameter file=compute_poc.flv from a remote server.

The attached file can cause an out-of-bounds read of an image. While the bits of the image are null, the width, height and other values can make it a valid…

The included fuzzing test case causes a crash due to a heap overflow in BitmapData.drawWithQuality.