A memory exhaustion vulnerability was found in function parseSWF_ACTIONRECORD, which allow attackers to cause a denial of service via a crafted file.
./swftocxx 001-mem-ex-swf /dev/null
header indicates a filesize of 92 but filesize is 256
#include <mingpp.h>
main(){
SWFMovie* m = new SWFMovie(48);
Ming_setScale(1.0);
m->setDimension(10624, 7776);
// SWF_SETBACKGROUNDCOLOR
m->setBackground(0x30, 0x30, 0x30);
==54801==WARNING: AddressSanitizer failed to allocate 0xfffffffffffd8180 bytes
==54801==AddressSanitizer's allocator is terminating the process instead of returning 0
==54801==If you don't like this behavior set allocator_may_return_null=1
==54801==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:147 "((0)) != (0)" (0x0, 0x0)
#0 0x7f1990630631 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa0631)
#1 0x7f19906355e3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa55e3)
#2 0x7f19905ad425 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x1d425)
#3 0x7f1990633865 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa3865)
#4 0x7f19905b2b4d (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x22b4d)
#5 0x7f19906285d2 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x985d2)
#6 0x428bc3 in parseSWF_ACTIONRECORD /root/libming-asan/util/parser.c:1142
#7 0x4374bf in parseSWF_DOACTION /root/libming-asan/util/parser.c:2434
#8 0x40fd6b in blockParse /root/libming-asan/util/blocktypes.c:145
#9 0x40f328 in readMovie /root/libming-asan/util/main.c:274
#10 0x40fb0e in main /root/libming-asan/util/main.c:359
#11 0x7f198f9bd82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#12 0x401b58 in _start (/usr/local/libming-asan/bin/swftocxx+0x401b58)
Integer overflow in parseSWF_ACTIONRECORD. We read UI16 and store it in a WORD, which is defined as SI16.
Fix: Using type WORD (=SI16) for NumParam in SWF_ACTIONDEFINEFUNCTION is wrong, the specification says it should be UI16 (see page 92 of the spec). Fixing that should be enough.
diff --git a/util/swftypes.h b/util/swftypes.h
index fe80eb2c..b1f97333 100644
--- a/util/swftypes.h
+++ b/util/swftypes.h
@@ -363,7 +363,7 @@ struct SWF_ACTIONDEFINEFUNCTION {
UI16 Length;
UI32 Offset;
STRING FunctionName;
- WORD NumParams;
+ UI16 NumParams;
STRING *Params;
WORD CodeSize;
int numActions;
hlef
added a commit
to hlef/libming
that referenced
this issue
May 26, 2018
This commit fixes the memory exhaustion issue in
parseSWF_ACTIONRECORD (fixes: libming#109, CVE-2018-7876).
The original issue consists is triggered by an integer overflow in
parseSWF_ACTIONRECORD, where we read a UI16 and store it in a WORD,
which is defined as SI16. This is because type WORD (=SI16) is used
for NumParam (in SWF_ACTIONDEFINEFUNCTION), while the specification
says it should be UI16 (page 92 of the spec).
This patch addresses this type issue by changing type of NumParam
from WORD to UI16.
Version: libming 0.4.8(latest version)
A memory exhaustion vulnerability was found in function parseSWF_ACTIONRECORD, which allow attackers to cause a denial of service via a crafted file.
POC FILE:https://github.com/fantasy7082/image_test/blob/master/001-mem-ex-swf
The text was updated successfully, but these errors were encountered: