Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory exhaustion in parseSWF_ACTIONRECORD(util/parser.c:1142) #109

Closed
fantasy7082 opened this issue Mar 7, 2018 · 1 comment
Closed

Comments

@fantasy7082
Copy link

fantasy7082 commented Mar 7, 2018

Version: libming 0.4.8(latest version)

A memory exhaustion vulnerability was found in function parseSWF_ACTIONRECORD, which allow attackers to cause a denial of service via a crafted file.

./swftocxx 001-mem-ex-swf /dev/null 
header indicates a filesize of 92 but filesize is 256
#include <mingpp.h>


main(){
SWFMovie* m = new SWFMovie(48);

Ming_setScale(1.0);
m->setDimension(10624, 7776);

// SWF_SETBACKGROUNDCOLOR 
m->setBackground(0x30, 0x30, 0x30);
==54801==WARNING: AddressSanitizer failed to allocate 0xfffffffffffd8180 bytes
==54801==AddressSanitizer's allocator is terminating the process instead of returning 0
==54801==If you don't like this behavior set allocator_may_return_null=1
==54801==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:147 "((0)) != (0)" (0x0, 0x0)
    #0 0x7f1990630631  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa0631)
    #1 0x7f19906355e3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa55e3)
    #2 0x7f19905ad425  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x1d425)
    #3 0x7f1990633865  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa3865)
    #4 0x7f19905b2b4d  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x22b4d)
    #5 0x7f19906285d2 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x985d2)
    #6 0x428bc3 in parseSWF_ACTIONRECORD /root/libming-asan/util/parser.c:1142
    #7 0x4374bf in parseSWF_DOACTION /root/libming-asan/util/parser.c:2434
    #8 0x40fd6b in blockParse /root/libming-asan/util/blocktypes.c:145
    #9 0x40f328 in readMovie /root/libming-asan/util/main.c:274
    #10 0x40fb0e in main /root/libming-asan/util/main.c:359
    #11 0x7f198f9bd82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x401b58 in _start (/usr/local/libming-asan/bin/swftocxx+0x401b58)

POC FILE:https://github.com/fantasy7082/image_test/blob/master/001-mem-ex-swf

@hlef
Copy link
Contributor

hlef commented May 15, 2018

Integer overflow in parseSWF_ACTIONRECORD. We read UI16 and store it in a WORD, which is defined as SI16.

Fix: Using type WORD (=SI16) for NumParam in SWF_ACTIONDEFINEFUNCTION is wrong, the specification says it should be UI16 (see page 92 of the spec). Fixing that should be enough.

diff --git a/util/swftypes.h b/util/swftypes.h
index fe80eb2c..b1f97333 100644
--- a/util/swftypes.h
+++ b/util/swftypes.h
@@ -363,7 +363,7 @@ struct SWF_ACTIONDEFINEFUNCTION {
        UI16    Length;
        UI32    Offset;
        STRING  FunctionName;
-       WORD    NumParams;
+       UI16    NumParams;
        STRING  *Params;
        WORD    CodeSize;
        int     numActions;

hlef added a commit to hlef/libming that referenced this issue May 26, 2018
This commit fixes the memory exhaustion issue in
parseSWF_ACTIONRECORD (fixes: libming#109, CVE-2018-7876).

The original issue consists is triggered by an integer overflow in
parseSWF_ACTIONRECORD, where we read a UI16 and store it in a WORD,
which is defined as SI16. This is because type WORD (=SI16) is used
for NumParam (in SWF_ACTIONDEFINEFUNCTION), while the specification
says it should be UI16 (page 92 of the spec).

This patch addresses this type issue by changing type of NumParam
from WORD to UI16.
@strk strk closed this as completed in a6cf16a Jul 12, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants