This proof of concept exploit triggers a crash on Windows 7 32-bit with Special Pool enabled on win32k.sys. The kernel crashes due to a use-after-free condition with bitmaps in the…
>> CATEGORY: exploit
Samsung Galaxy S6 suffers from a gif parsing crash in Samsung Gallery.
Samsung Galaxy S6 suffers from a bitmap decoding crash in Samsung Gallery.
If a TextField variable is set to a value with toString defined, and the TextField is updated, a use-after-free can occur if the toString method frees the TextField’s parent.
There is a use-after-free in the TextField.variable setter. If the variable name that is added is an object with toString defined, the toString function can free the field’s parent object,…
There is a use-after-free in the TextField.htmlText setter. If the htmlText the field is set to is an object with toString defined, the toString function can free the field’s parent…
There is a use-after-free in the TextField.type setter. If the type the field is set to is an object with toString defined, the toString function can free the field’s parent…
There is a use-after-free in the TextField.text setter. If the text the field is set to is an object with toString defined, the toString function can free the field’s parent…
There is a use-after-free in the TextField.tabIndex setter. If the integer parameter is an object with valueOf defined, then it can free the TextField’s parent, leading to a use-after-free.
There is a use-after-free in MovieClip.attachMovie. If a string parameter has toString defined, a number parameter has valueOf defined or an object parameter has its constructor redefined, it can execute…