Canva Affinity Out-of-Bounds Read Vulnerability in EMF Processing

A vulnerability allowing out-of-bounds read has been identified in the Canva Affinity application, specifically in version 3.0.1.3808. This issue arises within the EMF (Enhanced Metafile Format) functionality, where a specially crafted EMF file can be used to exploit the vulnerability. The exploitation may lead to the unauthorized disclosure of sensitive information by allowing access to arbitrary memory within the process.

Impact

Exploitation of this vulnerability causes a crash due to an access violation, indicating that the out-of-bounds read has occurred. This memory access violation can be exploited to read sensitive information from the application's memory.

Reproduction

The vulnerability can be reproduced by opening a specially crafted EMF file in Canva Affinity version 3.0.1.3808. The file must be designed to exploit the EMR_POLYBEZIERTO16 record type by including a Count value that exceeds the expected range, causing the application to read beyond the allocated memory bounds. This can be done by manipulating the aPoints array in the EMF file to include an excessive number of points, which the application will process incorrectly, leading to an out-of-bounds read.

Remediation

Users are advised to upgrade to the latest version of Canva Affinity available from the Affinity website.