Hi, i found a heap-buffer-overflow bug in the libming 0.4.8, the details are below(ASAN):
./swftocxx 005-heap-over-swf /dev/null
...
...
==50170==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000b780 at pc 0x0000004113e6 bp 0x7ffcbc1d1ea0 sp 0x7ffcbc1d1e90
READ of size 8 at 0x60b00000b780 thread T0
#0 0x4113e5 in getName /root/libming-asan/util/decompile.c:398
#1 0x41620b in decompileGETMEMBER /root/libming-asan/util/decompile.c:1635
#2 0x41e5b9 in decompileAction /root/libming-asan/util/decompile.c:3216
#3 0x41eba0 in decompileActions /root/libming-asan/util/decompile.c:3419
#4 0x41c727 in decompileDEFINEFUNCTION /root/libming-asan/util/decompile.c:2759
#5 0x41e7b8 in decompileAction /root/libming-asan/util/decompile.c:3279
#6 0x41eba0 in decompileActions /root/libming-asan/util/decompile.c:3419
#7 0x41b07e in decompileIF /root/libming-asan/util/decompile.c:2581
#8 0x41e715 in decompileAction /root/libming-asan/util/decompile.c:3260
#9 0x41eba0 in decompileActions /root/libming-asan/util/decompile.c:3419
#10 0x41eccd in decompile5Action /root/libming-asan/util/decompile.c:3441
#11 0x40d221 in outputSWF_INITACTION /root/libming-asan/util/outputscript.c:1860
#12 0x40e331 in outputBlock /root/libming-asan/util/outputscript.c:2083
#13 0x40f3d9 in readMovie /root/libming-asan/util/main.c:286
#14 0x40fb0e in main /root/libming-asan/util/main.c:359
#15 0x7fae9b56982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#16 0x401b58 in _start (/usr/local/libming-asan/bin/swftocxx+0x401b58)
AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/libming-asan/util/decompile.c:398 getName
Shadow bytes around the buggy address:
0x0c167fff96a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff96b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff96c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff96d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff96e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c167fff96f0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==50170==ABORTING
Constants are usually retrieved from the constant pool without verifying
that the pool actually contains them, which may lead to various heap
buffer overflow issues.
In this patch we add a counter keeping track of how many elements the pool
contains, and checks making sure that whenever the pool is accessed, the
constant in present in the pool (constant position < pool counter).
Also, do not return "" when a pointer is excepted (it should be legal to free
this return value).
This patch fixeslibming#112 (CVE-2018-7875), fixeslibming#120 (CVE-2018-7871),
fixeslibming#117 (CVE-2018-7870), fixeslibming#114 (CVE-2018-7872), fixeslibming#122,
fixeslibming#113 (CVE-2018-7868), fixeslibming#123.
Hi, i found a heap-buffer-overflow bug in the libming 0.4.8, the details are below(ASAN):
POC FILE:https://github.com/fantasy7082/image_test/blob/master/005-heap-over-swf
The text was updated successfully, but these errors were encountered: