Skip to content

heap-buffer-overflow in getName(util/decompile.c:408) #120

Closed
@fantasy7082

Description

@fantasy7082

Hi, i found a heap-buffer-overflow bug in the libming 0.4.8, the details are below(ASAN):

./swftocxx 012-heap-over-swf /dev/null
==13696==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000f7d8 at pc 0x000000411568 bp 0x7ffd9cd99ef0 sp 0x7ffd9cd99ee0
READ of size 8 at 0x60b00000f7d8 thread T0
    #0 0x411567 in getName /root/libming-asan/util/decompile.c:408
    #1 0x416882 in decompileGETVARIABLE /root/libming-asan/util/decompile.c:1741
    #2 0x41e5f5 in decompileAction /root/libming-asan/util/decompile.c:3224
    #3 0x41eba0 in decompileActions /root/libming-asan/util/decompile.c:3419
    #4 0x41c727 in decompileDEFINEFUNCTION /root/libming-asan/util/decompile.c:2759
    #5 0x41e7b8 in decompileAction /root/libming-asan/util/decompile.c:3279
    #6 0x41eba0 in decompileActions /root/libming-asan/util/decompile.c:3419
    #7 0x41b07e in decompileIF /root/libming-asan/util/decompile.c:2581
    #8 0x41e715 in decompileAction /root/libming-asan/util/decompile.c:3260
    #9 0x41eba0 in decompileActions /root/libming-asan/util/decompile.c:3419
    #10 0x41eccd in decompile5Action /root/libming-asan/util/decompile.c:3441
    #11 0x40d221 in outputSWF_INITACTION /root/libming-asan/util/outputscript.c:1860
    #12 0x40e331 in outputBlock /root/libming-asan/util/outputscript.c:2083
    #13 0x40f3d9 in readMovie /root/libming-asan/util/main.c:286
    #14 0x40fb0e in main /root/libming-asan/util/main.c:359
    #15 0x7f7d597b682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #16 0x401b58 in _start (/usr/local/libming-asan/bin/swftocxx+0x401b58)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/libming-asan/util/decompile.c:408 getName
Shadow bytes around the buggy address:
  0x0c167fff9ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff9eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff9ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff9ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff9ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c167fff9ef0: fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa
  0x0c167fff9f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff9f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff9f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff9f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff9f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==13696==ABORTING

POC FILE:https://github.com/fantasy7082/image_test/blob/master/012-heap-over-swf

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions