This vulnerability relies on several minor oversights in the handling of shading patterns in pdfium. The DrawXShading functions in cpdf_renderstatus.cpp rely on a helper function to compute the number of output components resulting from applying multiple shading functions. The lack of integer overflow checking would not be an issue if the parser enforced the limitations applied by the pdf specification to the functions applied, as these preconditions would preclude any overflow from occuring. However, there is no such validation.
This vulnerability occurs when the type of the 'this' object is assumed to be an object, but it can be other objects like an array. This can lead to operations on 'this' not being checked properly, which can lead to type confusion. The PoC code shows how this vulnerability can be exploited by calling the opt() function with an array as the 'this' object.
This vulnerability is similar to the previous issues 1457, 1459 (MSRC 42551, MSRC 42552). If a JavaScript function is used as a constructor, it sets the new object's '__proto__' to its 'prototype'. The JIT compiler uses NewScObjectNoCtor instructions to perform it, but those instructions are not checked by CheckJsArrayKills which is used to validate the array information. A proof-of-concept code is provided in the text.
Array.prototype.reverse can be inlined and may invoke EnsureNonNativeArray to convert the prototype of 'this' to a Var array. To make that happen, the prototype must be a native array. But this usually can't be fulfilled, since once it's set as a prototype, it gets converted to a Var array. To bypass this, we can use Array.prototype.sort. By setting it as a prototype in the compare function, we can make an object that its prototype is a native array.
If a native array is used as a prototype, it is converted to a Var array by the Js::JavascriptNativeFloatArray::SetIsPrototype method. In the JIT compiler, it uses InitProto instructions to set object literals' prototype. But when optimizing those instructions, it doesn't reset the previous array validity even it can change the type of arrays. As a result, it can lead to type confusion.
This exploit is based on the fact that the ImplicitCallFlags flag is not updated if an exception is thrown during an implicit call. This can be bypassed by throwing an exception and clearing it using the 'typeof' operator. This is demonstrated in the code snippet, where an exception is thrown from the toString function and is cleared using the 'typeof' operator. This allows the arr[0] to be set to an object, which can be used to exploit the application.
The DisableImplicitCallFlag flag is a flag used by the JIT compiler to prevent certain functions from being called. This flag can be abused by an attacker to bypass security checks and execute arbitrary code. The vulnerability occurs when the flag is not properly validated, allowing an attacker to bypass the security checks and execute arbitrary code.
This exploit is related to a bug in Microsoft's ChakraCore. The bug is related to type confusion, which can be exploited to bypass the fix for the bug. The exploit involves creating a Number object with a very small value, and then assigning a property to it. This is followed by converting the object to a primitive type, and then assigning a property to it again. This can be repeated multiple times to bypass the fix.
User controlled input is not sufficiently sanitized. Unauthenticated user can perform administrative operations without properly authorization. Ametys CMS only checks the authorization if the request includes /cms/ in the web request. By that, we can reset any password of users, including administrator users.
Multiple vulnerabilities were found in the Dell EMC Isilon OneFS platform. These vulnerabilities could allow an attacker to execute arbitrary code, gain access to sensitive information, and perform unauthorized actions.
Services By CQR