search

kevinmel2000 / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Adobe Flash: Type Confusion in TextRenderer.setAdvancedAntialiasingTable #409

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
There is a type confusion issue in TextRenderer.setAdvancedAntialiasingTable. 
If the font, insideCutoff or outsideCutoff are set to objects that are not 
integers, they are still assumed to be integers. A proof-of-concept is below:

var antiAliasEntry_1 = {fontSize:10, insideCutoff:1.61, outsideCutoff:-3.43};
var antiAliasEntry_2 = {fontSize:"", insideCutoff:0.8, outsideCutoff:-0.8};
var arialTable:Array = new Array(antiAliasEntry_1, antiAliasEntry_2);

TextRenderer.setAdvancedAntialiasingTable("Arial", "none", "dark", arialTable);

This issue is low-impact because the type-confused objects are read into the 
font and cutoff values, which cannot be directly retreived from script. It is 
probably possible to determine the value read by doing hit tests on the text 
that is rendered (to see how big and clipped it is), but this would be fairly 
difficult.

A sample SWF and fla are attached, these samples intentionally crash to 
demonstrate the issue. 

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by natashe...@google.com on 27 May 2015 at 9:06

Attachments:

GoogleCodeExporter commented 8 years ago

Original comment by scvi...@google.com on 28 May 2015 at 4:59

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 29 May 2015 at 10:43

GoogleCodeExporter commented 8 years ago 
This is PSIRT-3767

Original comment by natashe...@google.com on 1 Jun 2015 at 8:57

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 11 Aug 2015 at 3:25

GoogleCodeExporter commented 8 years ago 
Fixed in https://helpx.adobe.com/security/products/flash-player/apsb15-19.html

Original comment by natashe...@google.com on 18 Aug 2015 at 7:38

GoogleCodeExporter commented 8 years ago 
Fixed in https://helpx.adobe.com/security/products/flash-player/apsb15-19.html

Original comment by natashe...@google.com on 18 Aug 2015 at 7:40