Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in getString(util/decompile.c:342) #110

Open
fantasy7082 opened this issue Mar 7, 2018 · 2 comments
Open

heap-buffer-overflow in getString(util/decompile.c:342) #110

fantasy7082 opened this issue Mar 7, 2018 · 2 comments

Comments

@fantasy7082
Copy link

Hi, i found a heap-buffer-overflow bug in the libming 0.4.8, the details are below(ASAN)

./swftocxx 002-heap-over-swf /dev/null
...
...
==53714==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ec1a at pc 0x7fb09c1699f5 bp 0x7ffc13fe6b30 sp 0x7ffc13fe62c0
WRITE of size 13 at 0x60200000ec1a thread T0
    #0 0x7fb09c1699f4 in __interceptor_vsprintf (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x619f4)
    #1 0x7fb09c169cc9 in __interceptor_sprintf (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x61cc9)
    #2 0x410e9d in getString /root/libming-asan/util/decompile.c:342
    #3 0x4127f1 in newVar_N /root/libming-asan/util/decompile.c:661
    #4 0x41d747 in decompileSingleArgBuiltInFunctionCall /root/libming-asan/util/decompile.c:2919
    #5 0x41e94e in decompileAction /root/libming-asan/util/decompile.c:3347
    #6 0x41eba0 in decompileActions /root/libming-asan/util/decompile.c:3419
    #7 0x41eccd in decompile5Action /root/libming-asan/util/decompile.c:3441
    #8 0x4066c6 in outputSWF_DEFINEBUTTON2 /root/libming-asan/util/outputscript.c:931
    #9 0x40e331 in outputBlock /root/libming-asan/util/outputscript.c:2083
    #10 0x40f3d9 in readMovie /root/libming-asan/util/main.c:286
    #11 0x40fb0e in main /root/libming-asan/util/main.c:359
    #12 0x7fb09b53582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x401b58 in _start (/usr/local/libming-asan/bin/swftocxx+0x401b58)

0x60200000ec1a is located 0 bytes to the right of 10-byte region [0x60200000ec10,0x60200000ec1a)
allocated by thread T0 here:
    #0 0x7fb09c1a0602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x410e4b in getString /root/libming-asan/util/decompile.c:341
    #2 0x4127f1 in newVar_N /root/libming-asan/util/decompile.c:661
    #3 0x41d747 in decompileSingleArgBuiltInFunctionCall /root/libming-asan/util/decompile.c:2919
    #4 0x41e94e in decompileAction /root/libming-asan/util/decompile.c:3347
    #5 0x41eba0 in decompileActions /root/libming-asan/util/decompile.c:3419
    #6 0x41eccd in decompile5Action /root/libming-asan/util/decompile.c:3441
    #7 0x4066c6 in outputSWF_DEFINEBUTTON2 /root/libming-asan/util/outputscript.c:931
    #8 0x40e331 in outputBlock /root/libming-asan/util/outputscript.c:2083
    #9 0x40f3d9 in readMovie /root/libming-asan/util/main.c:286
    #10 0x40fb0e in main /root/libming-asan/util/main.c:359
    #11 0x7fb09b53582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __interceptor_vsprintf
Shadow bytes around the buggy address:
  0x0c047fff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9d80: fa fa 00[02]fa fa fd fa fa fa fd fa fa fa 00 02
  0x0c047fff9d90: fa fa 00 06 fa fa 00 07 fa fa 00 fa fa fa 00 07
  0x0c047fff9da0: fa fa fd fd fa fa 00 07 fa fa 01 fa fa fa 00 07
  0x0c047fff9db0: fa fa 03 fa fa fa 00 07 fa fa 00 00 fa fa 00 07
  0x0c047fff9dc0: fa fa 00 04 fa fa 01 fa fa fa 00 07 fa fa 04 fa
  0x0c047fff9dd0: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==53714==ABORTING

POC FILE:https://github.com/fantasy7082/image_test/blob/master/002-heap-over-swf

@hlef
Copy link
Contributor

hlef commented May 14, 2018

Should be fixed by eea2a55 in #127 (currently PR).

@strk
Copy link
Member

strk commented May 20, 2018

#127 is now merged, @fantasy7082 please close after confirmation

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants