Hi, i found a heap-buffer-overflow bug in the libming 0.4.8, the details are below(ASAN):
./swftocxx 003-heap-over-swf /dev/null
....
....
==30550==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ec7a at pc 0x7fd29030c9f5 bp 0x7ffd968473e0 sp 0x7ffd96846b70
WRITE of size 11 at 0x60200000ec7a thread T0
#0 0x7fd29030c9f4 in __interceptor_vsprintf (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x619f4)
#1 0x7fd29030ccc9 in __interceptor_sprintf (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x61cc9)
#2 0x410ef9 in getString /root/libming-asan/util/decompile.c:346
#3 0x4127f1 in newVar_N /root/libming-asan/util/decompile.c:661
#4 0x41d3ae in decompileCALLMETHOD /root/libming-asan/util/decompile.c:2865
#5 0x41e7ea in decompileAction /root/libming-asan/util/decompile.c:3285
#6 0x41eba0 in decompileActions /root/libming-asan/util/decompile.c:3419
#7 0x41eccd in decompile5Action /root/libming-asan/util/decompile.c:3441
#8 0x4066c6 in outputSWF_DEFINEBUTTON2 /root/libming-asan/util/outputscript.c:931
#9 0x40e331 in outputBlock /root/libming-asan/util/outputscript.c:2083
#10 0x40f3d9 in readMovie /root/libming-asan/util/main.c:286
#11 0x40fb0e in main /root/libming-asan/util/main.c:359
#12 0x7fd28f6d882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#13 0x401b58 in _start (/usr/local/libming-asan/bin/swftocxx+0x401b58)
0x60200000ec7a is located 0 bytes to the right of 10-byte region [0x60200000ec70,0x60200000ec7a)
allocated by thread T0 here:
#0 0x7fd290343602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x410eb0 in getString /root/libming-asan/util/decompile.c:345
#2 0x4127f1 in newVar_N /root/libming-asan/util/decompile.c:661
#3 0x41d3ae in decompileCALLMETHOD /root/libming-asan/util/decompile.c:2865
#4 0x41e7ea in decompileAction /root/libming-asan/util/decompile.c:3285
#5 0x41eba0 in decompileActions /root/libming-asan/util/decompile.c:3419
#6 0x41eccd in decompile5Action /root/libming-asan/util/decompile.c:3441
#7 0x4066c6 in outputSWF_DEFINEBUTTON2 /root/libming-asan/util/outputscript.c:931
#8 0x40e331 in outputBlock /root/libming-asan/util/outputscript.c:2083
#9 0x40f3d9 in readMovie /root/libming-asan/util/main.c:286
#10 0x40fb0e in main /root/libming-asan/util/main.c:359
#11 0x7fd28f6d882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __interceptor_vsprintf
Shadow bytes around the buggy address:
0x0c047fff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00[02]
0x0c047fff9d90: fa fa 00 06 fa fa 00 07 fa fa 00 fa fa fa 00 07
0x0c047fff9da0: fa fa fd fd fa fa 00 07 fa fa 01 fa fa fa 00 07
0x0c047fff9db0: fa fa 03 fa fa fa 00 07 fa fa 00 00 fa fa 00 07
0x0c047fff9dc0: fa fa 00 04 fa fa 01 fa fa fa 00 07 fa fa 04 fa
0x0c047fff9dd0: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==30550==ABORTING
getString prints a 32 bit integer to a 10 char buffer, but the number
itself has 10 digits so there's an overflow.
Similar to libming#116, same fix.
Fixeslibming#111, CVE-2018-7873.
Hi, i found a heap-buffer-overflow bug in the libming 0.4.8, the details are below(ASAN):
POC FILE:https://github.com/fantasy7082/image_test/blob/master/003-heap-over-swf
The text was updated successfully, but these errors were encountered: