This issue could produce an infinite loop in the rendered page rendering process if an attacker were to trigger it. An attacker could leverage this vulnerability to cause a denial of service or to inject code into the rendered page rendering process.
An attacker could also cause a crash if an invalid value was passed during Android’s native function call method. This could result in a denial of service.
An attacker could also trigger memory corruption in the Android renderer process if an invalid string was provided during the native function call method. This could result in a remote code execution.
CVE-2018-4463 was discovered in OpenType Font Creator (OTFC) when handling the sampleset format via /release-x64/otfccdump+0x35e7e. This issue could cause an infinite loop in the rendering process if an attacker were to trigger it. An attacker could leverage this vulnerability to cause a denial of service or to inject code into the rendered page rendering process.
CVE-2018-4415 was discovered in OpenType Font Creator (OTFC) when handling the BDF font format via /release-x64/otfccdump+0x2056b. This issue could cause an infinite loop in the rendering process if an attacker were to trigger it. An attacker could leverage this vulnerability to cause a denial of service or to inject code into the rendered page rendering process.
Installation Instructions:
- Open "Android Studio"
- Go to File > New > Project...
- In the popup, choose a name for your project.
- Click on "Next".
- Select "Empty Activity" and click on "Next".
- Enter a unique package name with a ".java" extension.
- Choose a minimum SDK version of Oreo (8.0) and click on "Next".
- Ensure that the default activity is MainActivity and click on "Finish".
- Right click on the AndroidManifest.xml file in your Project folder, then select Open With > Android Studio menu option.
Hardware requirements
An attacker would need to be in the same network segment as the target device and have physical access to it. However, a successful attack would not require any user interaction or prior knowledge of the bug being exploited.
An attacker would need to have local administrative privileges on a computer running a vulnerable version of Adobe Flash in order to exploit this bug.
Timeline
Published on: 09/22/2022 17:15:00 UTC
Last modified on: 09/23/2022 03:02:00 UTC