New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NULL pointer dereference in outputSWF_TEXT_RECORD #101
Comments
|
Reproducible on latest master. Please ask for CVE number, I'll prepare a patch for this issue. |
|
Well, the first issue here is that the array offset is being stored in a signed int, while This may lead to integer overflows in two cases:
In the case of an integer overflow, I propose to change the type of |
|
Okay, I'll request a CVE number. |
|
FTR, this issue has been assigned number CVE-2018-6315. |
In outputSWF_TEXT_RECORD, the array offset is stored in a signed int, while (&(trec->GlyphEntries[i]))->GlyphIndex[0] returns an unsigned 32 bit number. This may lead to an integer overflow when reading the offset from the GlyphIndex array, and further to a buffer overflow when doing buffer[i]=fi->fontcodeptr[off] with negative off. In this commit, we change the type of off to unsigned long so we are guaranteed to be able to store 32 unsigned integers. This commit fixes CVE-2018-6315 (fixes libming#101).
Hello.
I found a NULL pointer dereference in libming.
Please confirm.
Thanks.
Summary: NULL pointer dereference
OS: CentOS 7 64bit
Version: 1df8bc2
PoC Download: null_outputSWF_TEXT_RECORD.zip
Steps to reproduce:
1.Download the .POC files.
2.Compile the source code with ASan.
3.Execute the following command
: swftocxx $FILE out
==========
[Acknowledgement]
This work was supported by ICT R&D program of MSIP/IITP. [R7518-16-1001, Innovation hub for high Performance Computing]
The text was updated successfully, but these errors were encountered: