New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-buffer-overflow in getString(util/decompile.c:332) #116
Comments
|
Reproduced on latest master. It looks like only 4 bytes are malloc-ed, assuming that passed register number is only two digits, which happens to be false. FTR, this issue was assigned number CVE-2018-7867. |
hlef
added a commit
to hlef/libming
that referenced
this issue
Mar 16, 2018
getString is allocating a 4-bytes buffer to store an 'R' and an 8-bit number. t=malloc(4); /* Rdd */ sprintf(t,"R%d", act->p.RegisterNumber ); return t; Since up to three digits can be required to store the 8-bit number, the buffer has to be 5 bytes long. In this commit we also fix the PUSH_DOUBLE case by dynamically computing the required buffer size. This commit fixes libming#116 (CVE-2018-7867).
hlef
added a commit
to hlef/libming
that referenced
this issue
Mar 21, 2018
getString is allocating a 4-bytes buffer to store an 'R' and an 8-bit number. t=malloc(4); /* Rdd */ sprintf(t,"R%d", act->p.RegisterNumber ); return t; Since up to three digits can be required to store the 8-bit number, the buffer has to be 5 bytes long. In this commit we also fix the PUSH_DOUBLE case by dynamically computing the required buffer size. This commit fixes libming#116 (CVE-2018-7867).
hlef
added a commit
to hlef/libming
that referenced
this issue
Mar 21, 2018
getString is allocating a 4-bytes buffer to store an 'R' and an 8-bit number. t=malloc(4); /* Rdd */ sprintf(t,"R%d", act->p.RegisterNumber ); return t; Since up to three digits can be required to store the 8-bit number, the buffer has to be 5 bytes long. In this commit we also fix the PUSH_DOUBLE case by dynamically computing the required buffer size. This commit fixes libming#116 (CVE-2018-7867).
hlef
added a commit
to hlef/libming
that referenced
this issue
May 26, 2018
getString prints a 32 bit integer to a 10 char buffer, but the number itself has 10 digits so there's an overflow. Similar to libming#116, same fix. Fixes libming#111, CVE-2018-7873.
strk
pushed a commit
that referenced
this issue
Jul 12, 2020
getString prints a 32 bit integer to a 10 char buffer, but the number itself has 10 digits so there's an overflow. Similar to #116, same fix. Fixes #111, CVE-2018-7873.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi, i found a heap-buffer-overflow bug in the libming 0.4.8, the details are below(ASAN):
POC FILE:https://github.com/fantasy7082/image_test/blob/master/008-heap-over-swf
The text was updated successfully, but these errors were encountered: