CVE-2025-66633
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Canva Affinity 3.0.1.3808
Affinity - https://www.affinity.studio/
6.1 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
CWE-125 - Out-of-bounds Read
Affinity is a professional and versatile suite of creative applications designed for graphic design, photo editing, and desktop publishing. It provides a fast, streamlined experience with powerful tools to create illustrations, edit images, and design print or digital layouts. The suite is widely regarded as a capable and affordable alternative the software like Adobe Creative Cloud.
Affinity applications support the EMF file format, and this vulnerability is associated with how EMF files are processed.
An EMF (Enhanced Metafile Format) file stores images in a device-independent form. It begins with a header (EMR_HEADER) that contains information about the structure and contents of the metafile. The structure of the EMR_HEADER is as follows:
Offset Size Name
------ ---- --------------------------------------
0x00 0x04 recordType (0x00000001 )
0x04 0x04 recordSize
0x08 0x10 bounds
0x18 0x10 frame
0x28 0x04 recordSignature (0x464D4520)
0x2C 0x04 version
0x30 0x04 sizeInBytes
0x34 0x04 numOfRecords
0x38 0x02 Handles
0x3A 0x02 Reserved
Please note that the structure of EMR_HEADER shown is not complete; it only includes the relevant fields.
For the EMR_HEADER record, the recordType must be 0x00000001. The recordSize indicates the total size of the header record in bytes. The recordSignature field defines the record signature, which must have the value 0x464D4520 (FME ). The sizeInBytes field specifies the size of the metafile in bytes. The numOfRecords indicates the total number of records present in the metafile, including the EMR_HEADER.
This vulnerability is associated with the record type EMR_STRETCHBLT.
The EMR_STRETCHBLT record defines a block transfer of pixels from a source bitmap to a destination rectangle. Its structure is defined as follows:
Offset Size Name
----- ---------- --------------------------------------
0x00 0x04 recordType (0x0000004D )
0x04 0x04 recordSize
0x08 0x10 Bounds
0x18 0x04 xDest
0x1C 0x04 yDest
0x20 0x04 cxDest
0x24 0x04 cyDest
0x28 0x04 BitBltRasterOperation
0x2C 0x04 xSrc
0x30 0x04 ySrc
0x34 0x18 XformSrc
0x4c 0x04 BkColorSrc
0x50 0x04 UsageSrc
0x54 0x04 offBmiSrc (n)
0x58 0x04 cbBmiSrc (p)
0x5C 0x04 offBitsSrc
0x60 0x04 cbBitsSrc (q)
0x64 0x04 cxSrc
0x68 0x04 cySrc
n p+q BitmapBuffer
For the EMR_STRETCHBLT record, the recordType value must be 0x0000004D. The offBmiSrc field indicates the offset from the start of this record to the source bitmap header in the BitmapBuffer field. The offBitsSrc field specifies the offset from the start of this record to the source bitmap bits. The cbBitsSrc field indicates the size of the source bitmap bits.
The first field in the source bitmap header is DIBHeaderInfo, which is a variable‑length field. The first 4 bytes of DIBHeaderInfo contain the HeaderSize value, which specifies the total size of the DIBHeaderInfo structure.
After reading the DIBHeaderInfo structure, the application uses the following equation to read the remaining BitmapBuffer data:
remaining_bitmap_data = offBitsSrc + cbBitsSrc - offBmiSrc - headerSize
This vulnerability occurs because it does not validate the result of this equation before using it to copy the remaining BitmapBuffer data. An out‑of‑bounds read occurs when the value of remaining_bitmap_data is greater than (recordSize - offBmiSrc - headerSize). This behavior can be observed during debugging with pageheap enabled.
0:032> g
(1318.2054): Unknown exception - code 000006ba (first chance)
ModLoad: 00007ffa`e3a40000 00007ffa`e3d8c000 C:\Windows\SYSTEM32\MsftEdit.dll
ModLoad: 00007ffa`ea260000 00007ffa`ea3a6000 C:\Windows\System32\Windows.StateRepositoryPS.dll
ModLoad: 00007ffa`e9be0000 00007ffa`e9c08000 C:\Windows\system32\mssprxy.dll
Breakpoint 0 hit
libpersona!Emf::EmfLoader::LoadDocument+0x4d3b6:
00007ffa`4ef1b536 488bf2 mov rsi,rdx
0:041> r
rax=00000020b11ff0f8 rbx=000001d6f11200a4 rcx=00000020b11ff3f0
rdx=000001d6f11200a4 rsi=000001d9efc29d20 rdi=00000020b11ff330
rip=00007ffa4ef1b536 rsp=00000020b11fef70 rbp=00000020b11ff070
r8=000001d9bac38ff0 r9=0000000000000001 r10=00000000ffffffef
r11=00000020b11ff000 r12=00007ffa4ef1fe80 r13=000001d6f1120000
r14=0000000000000001 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
libpersona!Emf::EmfLoader::LoadDocument+0x4d3b6:
00007ffa`4ef1b536 488bf2 mov rsi,rdx
0:041> dd 000001d6f11200a4 ;<------------------------ (1)
000001d6`f11200a4 0000004d 000000e0 00000064 00000064
000001d6`f11200b4 0000044b 00000351 00000064 00000064
000001d6`f11200c4 000003e8 000002ee 00cc0020 00000000
000001d6`f11200d4 00000000 3f800000 00000000 00000000
000001d6`f11200e4 3f800000 00000000 00000000 00ffffff
000001d6`f11200f4 00000000 0000006c 00000034 000000a0
000001d6`f1120104 00010000 00000008 00000002 00000028
000001d6`f1120114 00000008 00000002 00200001 00000003
0:041> bp 00007FFA4EF1B70D
0:041> g
Breakpoint 4 hit
libpersona!Emf::EmfLoader::LoadDocument+0x4d58d:
00007ffa`4ef1b70d 8b4654 mov eax,dword ptr [rsi+54h] ds:000001d6`f11200f8=0000006c ;<----------- (2)
0:041> p
libpersona!Emf::EmfLoader::LoadDocument+0x4d590:
00007ffa`4ef1b710 85c0 test eax,eax
0:041> p
libpersona!Emf::EmfLoader::LoadDocument+0x4d592:
00007ffa`4ef1b712 0f84e6030000 je libpersona!Emf::EmfLoader::LoadDocument+0x4d97e (00007ffa`4ef1bafe) [br=0]
0:041> p
libpersona!Emf::EmfLoader::LoadDocument+0x4d598:
00007ffa`4ef1b718 837e5800 cmp dword ptr [rsi+58h],0 ds:000001d6`f11200fc=00000034
0:041> p
libpersona!Emf::EmfLoader::LoadDocument+0x4d59c:
00007ffa`4ef1b71c 0f84dc030000 je libpersona!Emf::EmfLoader::LoadDocument+0x4d97e (00007ffa`4ef1bafe) [br=0]
0:041> p
Breakpoint 1 hit
libpersona!Emf::EmfLoader::LoadDocument+0x4d5a2:
00007ffa`4ef1b722 8b4e5c mov ecx,dword ptr [rsi+5Ch] ds:000001d6`f1120100=000000a0 ;<----------- (3)
0:041> p
libpersona!Emf::EmfLoader::LoadDocument+0x4d5a5:
00007ffa`4ef1b725 85c9 test ecx,ecx
0:041> p
libpersona!Emf::EmfLoader::LoadDocument+0x4d5a7:
00007ffa`4ef1b727 0f84d1030000 je libpersona!Emf::EmfLoader::LoadDocument+0x4d97e (00007ffa`4ef1bafe) [br=0]
0:041> p
libpersona!Emf::EmfLoader::LoadDocument+0x4d5ad:
00007ffa`4ef1b72d 448b4e60 mov r9d,dword ptr [rsi+60h] ds:000001d6`f1120104=00010000 ;<----------- (4)
0:041> p
libpersona!Emf::EmfLoader::LoadDocument+0x4d5b1:
00007ffa`4ef1b731 4585c9 test r9d,r9d
0:041> p
libpersona!Emf::EmfLoader::LoadDocument+0x4d5b4:
00007ffa`4ef1b734 0f84c4030000 je libpersona!Emf::EmfLoader::LoadDocument+0x4d97e (00007ffa`4ef1bafe) [br=0]
0:041> p
Breakpoint 3 hit
libpersona!Emf::EmfLoader::LoadDocument+0x4d5ba:
00007ffa`4ef1b73a 488d1406 lea rdx,[rsi+rax]
0:041> p
libpersona!Emf::EmfLoader::LoadDocument+0x4d5be:
00007ffa`4ef1b73e 4c8d040e lea r8,[rsi+rcx]
0:041> r
rax=000000000000006c rbx=0000000000000000 rcx=00000000000000a0
rdx=000001d6f1120110 rsi=000001d6f11200a4 rdi=000001d75c990fc0
rip=00007ffa4ef1b73e rsp=00000020b11fef70 rbp=00000020b11ff070
r8=00007ffa7c28a204 r9=0000000000010000 r10=0000000000000004
r11=00000020b11feef0 r12=0000000000cc0020 r13=000001d6f1120000
r14=00000020b11ff3f0 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
libpersona!Emf::EmfLoader::LoadDocument+0x4d5be:
00007ffa`4ef1b73e 4c8d040e lea r8,[rsi+rcx]
0:041> dd 000001d6f1120110
000001d6`f1120110 00000028 00000008 00000002 00200001
000001d6`f1120120 00000003 00000040 00000000 00000000
000001d6`f1120130 00000000 00000000 00ff0000 0000ff00
000001d6`f1120140 000000ff 00878787 00878787 00878787
000001d6`f1120150 00878787 00878787 00878787 00878787
000001d6`f1120160 00878787 00878787 00878787 00878787
000001d6`f1120170 00878787 00878787 00878787 00878787
000001d6`f1120180 00878787 0000000e 00000014 00000000
0:041> p
libpersona!Emf::EmfLoader::LoadDocument+0x4d5c2:
00007ffa`4ef1b742 4533ff xor r15d,r15d
0:041> p
libpersona!Emf::EmfLoader::LoadDocument+0x4d5c5:
00007ffa`4ef1b745 4c897d90 mov qword ptr [rbp-70h],r15 ss:00000020`b11ff000=000001d9ebc64fb0
0:041> p
libpersona!Emf::EmfLoader::LoadDocument+0x4d5c9:
00007ffa`4ef1b749 4c897db8 mov qword ptr [rbp-48h],r15 ss:00000020`b11ff028=00007ffafd8547b1
0:041> p
libpersona!Emf::EmfLoader::LoadDocument+0x4d5cd:
00007ffa`4ef1b74d 4c2bca sub r9,rdx ;<----------- (5)
0:041> p;r
rax=000000000000006c rbx=0000000000000000 rcx=00000000000000a0
rdx=000001d6f1120110 rsi=000001d6f11200a4 rdi=000001d75c990fc0
rip=00007ffa4ef1b750 rsp=00000020b11fef70 rbp=00000020b11ff070
r8=000001d6f1120144 r9=fffffe290eeefef0 r10=0000000000000004
r11=00000020b11feef0 r12=0000000000cc0020 r13=000001d6f1120000
r14=00000020b11ff3f0 r15=0000000000000000
iopl=0 nv up ei ng nz na po cy
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000287
libpersona!Emf::EmfLoader::LoadDocument+0x4d5d0:
00007ffa`4ef1b750 4d03c8 add r9,r8 ; <----------------- (6)
0:041> p;r
rax=000000000000006c rbx=0000000000000000 rcx=00000000000000a0
rdx=000001d6f1120110 rsi=000001d6f11200a4 rdi=000001d75c990fc0
rip=00007ffa4ef1b753 rsp=00000020b11fef70 rbp=00000020b11ff070
r8=000001d6f1120144 r9=0000000000010034 r10=0000000000000004
r11=00000020b11feef0 r12=0000000000cc0020 r13=000001d6f1120000
r14=00000020b11ff3f0 r15=0000000000000000
iopl=0 nv up ei pl nz na pe cy
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000203
libpersona!Emf::EmfLoader::LoadDocument+0x4d5d3:
00007ffa`4ef1b753 c7442440ffffffff mov dword ptr [rsp+40h],0FFFFFFFFh ss:00000020`b11fefb0=5fd62000
0:041> p
libpersona!Emf::EmfLoader::LoadDocument+0x4d5db:
00007ffa`4ef1b75b c7442438ffffffff mov dword ptr [rsp+38h],0FFFFFFFFh ss:00000020`b11fefa8=00000000
0:041> p
libpersona!Emf::EmfLoader::LoadDocument+0x4d5e3:
00007ffa`4ef1b763 4c897c2430 mov qword ptr [rsp+30h],r15 ss:00000020`b11fefa0=0000000000000000
0:041> p
libpersona!Emf::EmfLoader::LoadDocument+0x4d5e8:
00007ffa`4ef1b768 488d45b8 lea rax,[rbp-48h]
0:041> p
libpersona!Emf::EmfLoader::LoadDocument+0x4d5ec:
00007ffa`4ef1b76c 4889442428 mov qword ptr [rsp+28h],rax ss:00000020`b11fef98=000001d6f112006c
0:041> p
libpersona!Emf::EmfLoader::LoadDocument+0x4d5f1:
00007ffa`4ef1b771 488d4590 lea rax,[rbp-70h]
0:041> p
libpersona!Emf::EmfLoader::LoadDocument+0x4d5f5:
00007ffa`4ef1b775 4889442420 mov qword ptr [rsp+20h],rax ss:00000020`b11fef90=000001d9ebc64fb0
0:041> p
libpersona!Emf::EmfLoader::LoadDocument+0x4d5fa:
00007ffa`4ef1b77a 488d4c2458 lea rcx,[rsp+58h]
0:041> p
libpersona!Emf::EmfLoader::LoadDocument+0x4d5ff:
00007ffa`4ef1b77f e81c919fff call libpersona!Dib::RasterHelper::CreateBitmapFromDib (00007ffa`4e9148a0); <--------- (7)
0:041> r
rax=00000020b11ff000 rbx=0000000000000000 rcx=00000020b11fefc8
rdx=000001d6f1120110 rsi=000001d6f11200a4 rdi=000001d75c990fc0
rip=00007ffa4ef1b77f rsp=00000020b11fef70 rbp=00000020b11ff070
r8=000001d6f1120144 r9=0000000000010034 r10=0000000000000004
r11=00000020b11feef0 r12=0000000000cc0020 r13=000001d6f1120000
r14=00000020b11ff3f0 r15=0000000000000000
iopl=0 nv up ei pl nz na pe cy
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000203
libpersona!Emf::EmfLoader::LoadDocument+0x4d5ff:
00007ffa`4ef1b77f e81c919fff call libpersona!Dib::RasterHelper::CreateBitmapFromDib (00007ffa`4e9148a0)
The contents of the EMR_STRETCHBLT record are examined at (1). At (2), the offBmiSrc value is read. The offBitsSrc value is read at (3). At (4), the cbBitsSrc value is read. At (5) and (6), the BitmapBuffer size, referred to as BitmapBufferSize, is calculated using the equation (cbBitsSrc + offBitsSrc - offBmiSrc).
The method is called at (7) to create the Bitmap, and BitmapBufferSize is passed as an argument.
0:041> p
Breakpoint 2 hit
libpersona!Dib::RasterHelper::CreateBitmapFromDib+0x204:
00007ffa`4e914aa4 8b1f mov ebx,dword ptr [rdi] ds:000001d6`f1120110=00000028
0:041> p
libpersona!Dib::RasterHelper::CreateBitmapFromDib+0x206:
00007ffa`4e914aa6 4c2beb sub r13,rbx
0:041> r
rax=000001d9dd0c8fbe rbx=0000000000000028 rcx=000001d9dd0c8fbe
rdx=000001d6f1120110 rsi=0000000000000000 rdi=000001d6f1120110
rip=00007ffa4e914aa6 rsp=00000020b11fedc0 rbp=00000020b11feec0
r8=0000000000000028 r9=0000000000000040 r10=00007ffafa1d0000
r11=00007ffafa1e14c1 r12=00000020b11fefc8 r13=0000000000010034
r14=0000000000000000 r15=00000020b11ff000
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
libpersona!Dib::RasterHelper::CreateBitmapFromDib+0x206:
00007ffa`4e914aa6 4c2beb sub r13,rbx ;<----------------------- (8)
0:041> p
libpersona!Dib::RasterHelper::CreateBitmapFromDib+0x209:
00007ffa`4e914aa9 4803fb add rdi,rbx
0:041> p
libpersona!Dib::RasterHelper::CreateBitmapFromDib+0x20c:
00007ffa`4e914aac 498b0f mov rcx,qword ptr [r15] ds:00000020`b11ff000=000001d99b25af40
0:041> r
rax=000001d9dd0c8fbe rbx=0000000000000028 rcx=000001d9dd0c8fbe
rdx=000001d6f1120110 rsi=0000000000000000 rdi=000001d6f1120138
rip=00007ffa4e914aac rsp=00000020b11fedc0 rbp=00000020b11feec0
r8=0000000000000028 r9=0000000000000040 r10=00007ffafa1d0000
r11=00007ffafa1e14c1 r12=00000020b11fefc8 r13=000000000001000c
r14=0000000000000000 r15=00000020b11ff000
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
libpersona!Dib::RasterHelper::CreateBitmapFromDib+0x20c:
00007ffa`4e914aac 498b0f mov rcx,qword ptr [r15] ds:00000020`b11ff000=000001d99b25af40
0:041> p;r
rax=000001d9dd0c8fbe rbx=0000000000000028 rcx=000001d99b25af40
rdx=000001d6f1120110 rsi=0000000000000000 rdi=000001d6f1120138
rip=00007ffa4e914aaf rsp=00000020b11fedc0 rbp=00000020b11feec0
r8=0000000000000028 r9=0000000000000040 r10=00007ffafa1d0000
r11=00007ffafa1e14c1 r12=00000020b11fefc8 r13=000000000001000c
r14=0000000000000000 r15=00000020b11ff000
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
libpersona!Dib::RasterHelper::CreateBitmapFromDib+0x20f:
00007ffa`4e914aaf ff15bbfedd0e call qword ptr [libpersona!WhiteBalanceAdjustmentRasterNode::__GetDefaultSerialisation+0x11bd8f0 (00007ffa`5d6f4970)] ds:00007ffa`5d6f4970={libraster!Raster::CompressedRasterData::GetData (00007ffa`8f000c9d)}
0:041> p;r
rax=000001d9dd0c8fb0 rbx=0000000000000028 rcx=000001d99b25af40
rdx=000001d6f1120110 rsi=0000000000000000 rdi=000001d6f1120138
rip=00007ffa4e914ab5 rsp=00000020b11fedc0 rbp=00000020b11feec0
r8=0000000000000028 r9=0000000000000040 r10=00007ffafa1d0000
r11=00007ffafa1e14c1 r12=00000020b11fefc8 r13=000000000001000c
r14=0000000000000000 r15=00000020b11ff000
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
libpersona!Dib::RasterHelper::CreateBitmapFromDib+0x215:
00007ffa`4e914ab5 488d4b0e lea rcx,[rbx+0Eh]
0:041> p;r
rax=000001d9dd0c8fb0 rbx=0000000000000028 rcx=0000000000000036
rdx=000001d6f1120110 rsi=0000000000000000 rdi=000001d6f1120138
rip=00007ffa4e914ab9 rsp=00000020b11fedc0 rbp=00000020b11feec0
r8=0000000000000028 r9=0000000000000040 r10=00007ffafa1d0000
r11=00007ffafa1e14c1 r12=00000020b11fefc8 r13=000000000001000c
r14=0000000000000000 r15=00000020b11ff000
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
libpersona!Dib::RasterHelper::CreateBitmapFromDib+0x219:
00007ffa`4e914ab9 4803c8 add rcx,rax
0:041> p;r
rax=000001d9dd0c8fb0 rbx=0000000000000028 rcx=000001d9dd0c8fe6
rdx=000001d6f1120110 rsi=0000000000000000 rdi=000001d6f1120138
rip=00007ffa4e914abc rsp=00000020b11fedc0 rbp=00000020b11feec0
r8=0000000000000028 r9=0000000000000040 r10=00007ffafa1d0000
r11=00007ffafa1e14c1 r12=00000020b11fefc8 r13=000000000001000c
r14=0000000000000000 r15=00000020b11ff000
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
libpersona!Dib::RasterHelper::CreateBitmapFromDib+0x21c:
00007ffa`4e914abc 4903ce add rcx,r14
0:041> p;r
rax=000001d9dd0c8fb0 rbx=0000000000000028 rcx=000001d9dd0c8fe6
rdx=000001d6f1120110 rsi=0000000000000000 rdi=000001d6f1120138
rip=00007ffa4e914abf rsp=00000020b11fedc0 rbp=00000020b11feec0
r8=0000000000000028 r9=0000000000000040 r10=00007ffafa1d0000
r11=00007ffafa1e14c1 r12=00000020b11fefc8 r13=000000000001000c
r14=0000000000000000 r15=00000020b11ff000
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
libpersona!Dib::RasterHelper::CreateBitmapFromDib+0x21f:
00007ffa`4e914abf 4d8bc5 mov r8,r13
0:041> p;r
rax=000001d9dd0c8fb0 rbx=0000000000000028 rcx=000001d9dd0c8fe6
rdx=000001d6f1120110 rsi=0000000000000000 rdi=000001d6f1120138
rip=00007ffa4e914ac2 rsp=00000020b11fedc0 rbp=00000020b11feec0
r8=000000000001000c r9=0000000000000040 r10=00007ffafa1d0000
r11=00007ffafa1e14c1 r12=00000020b11fefc8 r13=000000000001000c
r14=0000000000000000 r15=00000020b11ff000
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
libpersona!Dib::RasterHelper::CreateBitmapFromDib+0x222:
00007ffa`4e914ac2 488bd7 mov rdx,rdi
0:041> p;r
rax=000001d9dd0c8fb0 rbx=0000000000000028 rcx=000001d9dd0c8fe6
rdx=000001d6f1120138 rsi=0000000000000000 rdi=000001d6f1120138
rip=00007ffa4e914ac5 rsp=00000020b11fedc0 rbp=00000020b11feec0
r8=000000000001000c r9=0000000000000040 r10=00007ffafa1d0000
r11=00007ffafa1e14c1 r12=00000020b11fefc8 r13=000000000001000c
r14=0000000000000000 r15=00000020b11ff000
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
libpersona!Dib::RasterHelper::CreateBitmapFromDib+0x225:
00007ffa`4e914ac5 e8204fe90d call libpersona!WhiteBalanceAdjustmentRasterNode::__GetDefaultSerialisation+0x27296a (00007ffa`5c7a99ea) ; <---------------------- (9)
0:041> dd 000001d6f1120138
000001d6`f1120138 00ff0000 0000ff00 000000ff 00878787
000001d6`f1120148 00878787 00878787 00878787 00878787
000001d6`f1120158 00878787 00878787 00878787 00878787
000001d6`f1120168 00878787 00878787 00878787 00878787
000001d6`f1120178 00878787 00878787 00878787 0000000e
000001d6`f1120188 00000014 00000000 00000010 00000014
000001d6`f1120198 00000000 00000000 00000000 00000000
000001d6`f11201a8 00000000 00000000 00000000 00000000
In the method, the DIBHeaderInfo is processed first. After that, remaining_bitmap_data is calculated at (8) by subtracting headerSize from BitmapBufferSize. At (9), the memcpy function is called to copy the remaining bitmap data (excluding DIBHeaderInfo) using remaining_bitmap_data as the size. However, remaining_bitmap_data is larger than (recordSize - offBmiSrc - headerSize), resulting in an out-of-bounds read during the memcpy operation. This behavior can be observed at the time of the crash.
0:041> g
(1318.2724): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
VCRUNTIME140!memcpy_repmovs+0xb:
00007ffa`fa1e11db f3a4 rep movs byte ptr [rdi],byte ptr [rsi]
0:041> r
rax=000001d9dd0c8fe6 rbx=0000000000000028 rcx=000000000000f144
rdx=000001d6f1120138 rsi=000001d6f1121000 rdi=000001d9dd0c9eae
rip=00007ffafa1e11db rsp=00000020b11feda8 rbp=00000020b11feec0
r8=000000000001000c r9=000001d6f1130144 r10=00007ffafa1d0000
r11=00007ffafa1e14c1 r12=00000020b11fefc8 r13=000000000001000c
r14=0000000000000000 r15=00000020b11ff000
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
VCRUNTIME140!memcpy_repmovs+0xb:
00007ffa`fa1e11db f3a4 rep movs byte ptr [rdi],byte ptr [rsi]
0:041> dd 000001d6f1121000
000001d6`f1121000 ???????? ???????? ???????? ????????
000001d6`f1121010 ???????? ???????? ???????? ????????
000001d6`f1121020 ???????? ???????? ???????? ????????
000001d6`f1121030 ???????? ???????? ???????? ????????
000001d6`f1121040 ???????? ???????? ???????? ????????
000001d6`f1121050 ???????? ???????? ???????? ????????
000001d6`f1121060 ???????? ???????? ???????? ????????
000001d6`f1121070 ???????? ???????? ???????? ????????
0:041> dd 000001d9dd0c9eae
000001d9`dd0c9eae c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
000001d9`dd0c9ebe c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
000001d9`dd0c9ece c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
000001d9`dd0c9ede c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
000001d9`dd0c9eee c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
000001d9`dd0c9efe c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
000001d9`dd0c9f0e c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
000001d9`dd0c9f1e c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
0:041> u
VCRUNTIME140!memcpy_repmovs+0xb [D:\a\_work\1\s\src\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 50]:
00007ffa`fa1e11db f3a4 rep movs byte ptr [rdi],byte ptr [rsi]
00007ffa`fa1e11dd 5e pop rsi
00007ffa`fa1e11de 5f pop rdi
00007ffa`fa1e11df c3 ret
VCRUNTIME140!memcpy [D:\a\_work\1\s\src\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 80]:
00007ffa`fa1e11e0 488bc1 mov rax,rcx
00007ffa`fa1e11e3 4c8d1516eefeff lea r10,[VCRUNTIME140!__ImageBase (00007ffa`fa1d0000)]
00007ffa`fa1e11ea 4983f80f cmp r8,0Fh
00007ffa`fa1e11ee 0f870c010000 ja VCRUNTIME140!memcpy+0x120 (00007ffa`fa1e1300)
0:041> kb
# RetAddr : Args to Child : Call Site
00 00007ffa`4e914aca : 00000000`00000000 00000000`00000000 00007ffa`9302c000 00000000`00000000 : VCRUNTIME140!memcpy_repmovs+0xb [D:\a\_work\1\s\src\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 50]
01 00007ffa`4ef1b784 : 00000000`00000000 000001d6`f11200a4 00000000`00000000 000001d9`e9a01fd0 : libpersona!Dib::RasterHelper::CreateBitmapFromDib+0x22a
02 00007ffa`4ef20cab : 000001d9`ebc64fb0 000001d9`e68aefd0 000001d6`f11200a4 00000000`00000010 : libpersona!Emf::EmfLoader::LoadDocument+0x4d604
03 00007ffa`4ef1fe9c : 00000020`b11ff3f0 00000000`000000a4 00000000`00000000 00000000`00000000 : libpersona!Emf::EmfLoader::LoadDocument+0x52b2b
04 00007ffa`faf0e73f : 00000000`000000a4 000001d9`efc29d20 000001d6`af810000 000001d6`af810000 : libpersona!Emf::EmfLoader::LoadDocument+0x51d1c
05 00007ffa`fc56d432 : 000001d9`f0108fd0 00000020`00000000 000001d9`f0108fd0 00000000`00000000 : gdi32full!bInternalPlayEMF+0x250bf
06 00007ffa`4ef215ce : 00000000`00000000 00000020`b11ff450 00000020`b11ff6d0 000001d9`efc85f90 : GDI32!EnumEnhMetaFileStub+0x52
07 00007ffa`4eecdb56 : 00000020`b11ff3f0 00000020`b11ff380 00000000`00000000 00007ffa`fd881910 : libpersona!Emf::EmfLoader::LoadDocument+0x5344e
08 00007ffa`4eece041 : 000001d9`efc85f90 000001d9`efc29d20 000001d9`efc85f90 00000020`b11ff6d0 : libpersona!Emf::EmfLoader::LoadDocument+0x86
09 00007ffa`4eece2ab : 00000020`b11ff768 000001d9`efc85f90 00000020`b11ff6d0 00000000`00000000 : libpersona!Emf::EmfLoader::LoadDocument+0x101
0a 00007ffa`4eece124 : 000001d9`e2588740 00000020`b11ff768 00000020`b11ff738 00000020`b11ff7b1 : libpersona!Emf::EmfLoader::LoadDocument+0x12b
0b 00007ffa`4ec83a94 : 000001d9`efe56fa0 000001d9`e2588740 00000020`b11ff810 00000020`b11ffad8 : libpersona!Emf::EmfLoader::LoadDocument+0x94
0c 00007ffa`4ec5088f : 000001d9`e2588740 00000000`00000000 00000000`00000000 00000000`ffffff00 : libpersona!DocumentController::TryLoadEMF+0xc4
0d 00007ffa`4ec4eacc : 00000000`00000000 000001d9`00000001 00000000`00000000 00000000`00000000 : libpersona!DocumentController::LoadDocumentI+0xfaf
0e 00007ffa`51283602 : 000001d9`b21a0690 00000000`00000000 000001d9`e1dcdf70 00000000`00000000 : libpersona!DocumentController::LoadDocument+0x8c
0f 00007ffa`52a96cea : 000001d9`b21a06c8 000001d9`9a373f00 00000000`00000000 00000000`00000000 : libpersona!LoadDocumentCommand::Do+0x252
10 00007ffa`af2464cf : 00000000`00000000 000001d9`e1dcdf70 00000000`00000000 000001d9`a9a2afe0 : libpersona!PersonaController::StaticDoCommand+0x3a
11 00007ffa`af49f47f : 000001d9`e1928fd0 00000000`00000481 00000000`00000000 000001d9`be226f90 : libkernel!Kernel::InSerialiserPropertyDataStream::LoadValues+0xb787f
12 00007ffa`fcc17374 : 00007ffa`af8c2800 00000000`00000000 00000000`00000000 00000000`00000000 : libkernel!Kernel::InSerialiserPropertyDataStream::LoadValues+0x31082f
13 00007ffa`fd87cc91 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
14 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
0:041> lmDvm libpersona
Browse full module list
start end module name
00007ffa`49180000 00007ffa`60abb000 libpersona (export symbols) C:\Program Files\WindowsApps\Canva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4\App\libpersona.dll
Loaded symbol image file: C:\Program Files\WindowsApps\Canva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4\App\libpersona.dll
Image path: C:\Program Files\WindowsApps\Canva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4\App\libpersona.dll
Image name: libpersona.dll
Browse all global symbols functions data Symbol Reload
Timestamp: Mon Nov 3 07:34:40 2025 (6908CB90)
CheckSum: 17822078
ImageSize: 1793B000
Mapping Form: Loaded
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
Exploiting this vulnerability allows for the reading of arbitrary memory within the process, potentially disclosing sensitive information.
See security bulletin on trust.canva.com with the vulnerability details and vulnerable versions. (URL to advisory: https://trust.canva.com/?tcuUid=1f728b0d-17f3-4c9c-97e9-6662b769eb62)
2026-01-27 - Vendor Disclosure
2026-03-17 - Vendor Patch Release
2026-03-17 - Public Release
Discovered by KPC of Cisco Talos.