New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-buffer-overflow in getString(util/decompile.c:349) #112
Comments
|
Reproduced on latest master together with #123. FTR, this issue was assigned CVE number CVE-2018-7875. |
|
So, it looks like In order to verify that we have to know how many constants are stored in the pool. Unfortunately there's currently no way to know it because we don't store such information (we only keep the pool as a |
Constants are usually retrieved from the constant pool without verifying that the pool actually contains them, which may lead to various heap buffer overflow issues. In this patch we add a counter keeping track of how many elements the pool contains, and checks making sure that whenever the pool is accessed, the constant in present in the pool (constant position < pool counter). This patch fixes libming#112 (CVE-2018-7875), fixes libming#123, fixes libming#122.
Constants are usually retrieved from the constant pool without verifying that the pool actually contains them, which may lead to various heap buffer overflow issues. In this patch we add a counter keeping track of how many elements the pool contains, and checks making sure that whenever the pool is accessed, the constant in present in the pool (constant position < pool counter). This patch fixes libming#112 (CVE-2018-7875), fixes libming#123, fixes libming#122.
Constants are usually retrieved from the constant pool without verifying that the pool actually contains them, which may lead to various heap buffer overflow issues. In this patch we add a counter keeping track of how many elements the pool contains, and checks making sure that whenever the pool is accessed, the constant in present in the pool (constant position < pool counter). This patch fixes libming#112 (CVE-2018-7875), libming#120 (CVE-2018-7871), fixes libming#123, fixes libming#122.
Constants are usually retrieved from the constant pool without verifying that the pool actually contains them, which may lead to various heap buffer overflow issues. In this patch we add a counter keeping track of how many elements the pool contains, and checks making sure that whenever the pool is accessed, the constant in present in the pool (constant position < pool counter). Also, do not return "" when a pointer is excepted (it should be legal to free this return value). This patch fixes libming#112 (CVE-2018-7875), fixes libming#120 (CVE-2018-7871), fixes libming#117 (CVE-2018-7870), fixes libming#122, fixes libming#123.
Constants are usually retrieved from the constant pool without verifying that the pool actually contains them, which may lead to various heap buffer overflow issues. In this patch we add a counter keeping track of how many elements the pool contains, and checks making sure that whenever the pool is accessed, the constant in present in the pool (constant position < pool counter). Also, do not return "" when a pointer is excepted (it should be legal to free this return value). This patch fixes libming#112 (CVE-2018-7875), fixes libming#120 (CVE-2018-7871), fixes libming#117 (CVE-2018-7870), fixes libming#122, fixes libming#123.
Constants are usually retrieved from the constant pool without verifying that the pool actually contains them, which may lead to various heap buffer overflow issues. In this patch we add a counter keeping track of how many elements the pool contains, and checks making sure that whenever the pool is accessed, the constant in present in the pool (constant position < pool counter). Also, do not return "" when a pointer is excepted (it should be legal to free this return value). This patch fixes libming#112 (CVE-2018-7875), fixes libming#120 (CVE-2018-7871), fixes libming#117 (CVE-2018-7870), fixes libming#114 (CVE-2018-7872), fixes libming#122, fixes libming#123.
Constants are usually retrieved from the constant pool without verifying that the pool actually contains them, which may lead to various heap buffer overflow issues. In this patch we add a counter keeping track of how many elements the pool contains, and checks making sure that whenever the pool is accessed, the constant in present in the pool (constant position < pool counter). Also, do not return "" when a pointer is excepted (it should be legal to free this return value). This patch fixes libming#112 (CVE-2018-7875), fixes libming#120 (CVE-2018-7871), fixes libming#117 (CVE-2018-7870), fixes libming#114 (CVE-2018-7872), fixes libming#122, fixes libming#113 (CVE-2018-7868), fixes libming#123.
Hi, i found a heap-buffer-overflow bug in the libming 0.4.8, the details are below(ASAN):
POC FILE:https://github.com/fantasy7082/image_test/blob/master/004-heap-over-swf
The text was updated successfully, but these errors were encountered: