Canva Affinity Out-of-Bounds Read Vulnerability in EMF Processing

A vulnerability allowing out-of-bounds read has been identified in Canva Affinity version 3.0.1.3808. This issue arises in the application's EMF (Enhanced Metafile Format) functionality, where a specially crafted EMF file can be used to exploit the vulnerability. The out-of-bounds read could lead to the disclosure of sensitive information by allowing access to arbitrary memory within the process.

Impact

Exploitation of this vulnerability causes a crash, indicating a memory access violation. However, prior to the crash, the out-of-bounds read can be leveraged to access and potentially disclose sensitive information from memory.

Reproduction

The vulnerability can be reproduced by opening a specially crafted EMF file in Canva Affinity. The file must be designed to exploit the EMF processing, specifically targeting the 'EMR_POLYPOLYLINE16' record type. When the file is opened, the application will read the 'aPoints' array based on the 'Count' field, which can be manipulated to exceed the allocated buffer size, causing an out-of-bounds read that leads to a memory access violation and application crash.

Remediation

Users are advised to upgrade to the latest version of Canva Affinity available from the Affinity website.