Canva Affinity Type Confusion Vulnerability in EMF Processing Allowing Arbitrary Code Execution

A type confusion vulnerability has been identified in Canva Affinity version 3.0.1.3808. This vulnerability arises in the application's handling of Enhanced Metafile (EMF) files, where a specially crafted EMF file can lead to memory corruption and potentially allow for arbitrary code execution. The issue is related to the processing of EMR_FRAMERGN records, where mismatched brush object indices can be exploited.

Impact

Exploitation of this vulnerability causes a memory access violation, leading to a crash. However, depending on the memory layout, it may be possible to gain arbitrary read and write access, which could be used to execute arbitrary code.

Reproduction

The vulnerability can be reproduced by opening a specially crafted EMF file in Canva Affinity. The EMF file must be designed to exploit the type confusion in the EMR_FRAMERGN record by using an invalid brush index that causes the application to read an arbitrary object, leading to uninitialized memory being accessed and causing a crash.

Remediation

Users are advised to upgrade to the latest version of Canva Affinity available from the Affinity website.