Canva Affinity Out-of-Bounds Read Vulnerability in EMF Processing

A vulnerability allowing out-of-bounds read has been identified in Canva Affinity version 3.0.1.3808. This issue arises in the application's EMF (Enhanced Metafile Format) functionality, where a specially crafted EMF file can be used to exploit the vulnerability. The out-of-bounds read could lead to the disclosure of sensitive information by allowing access to arbitrary memory within the process.

Impact

Exploitation of this vulnerability causes a crash, indicating a memory access violation. However, the vulnerability also allows for out-of-bounds reads that can be leveraged to access and potentially disclose sensitive information from memory.

Reproduction

The vulnerability can be reproduced by opening a specially crafted EMF file in Canva Affinity. The file must be designed to exploit the EMR_POLYBEZIER record by manipulating the Count field to exceed the expected size, causing the application to read beyond the allocated memory bounds. This can be done by creating an EMF file that includes a Bezier curve record with an exaggerated point count, which triggers the out-of-bounds read during the file processing.

Remediation

Users are advised to upgrade to the latest version of Canva Affinity available from the Affinity website.