Closed
Description
Hi, i found a heap-buffer-overflow bug in the libming 0.4.8, the details are below(ASAN):
./swftocxx 012-heap-over-swf /dev/null
==13696==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000f7d8 at pc 0x000000411568 bp 0x7ffd9cd99ef0 sp 0x7ffd9cd99ee0
READ of size 8 at 0x60b00000f7d8 thread T0
#0 0x411567 in getName /root/libming-asan/util/decompile.c:408
#1 0x416882 in decompileGETVARIABLE /root/libming-asan/util/decompile.c:1741
#2 0x41e5f5 in decompileAction /root/libming-asan/util/decompile.c:3224
#3 0x41eba0 in decompileActions /root/libming-asan/util/decompile.c:3419
#4 0x41c727 in decompileDEFINEFUNCTION /root/libming-asan/util/decompile.c:2759
#5 0x41e7b8 in decompileAction /root/libming-asan/util/decompile.c:3279
#6 0x41eba0 in decompileActions /root/libming-asan/util/decompile.c:3419
#7 0x41b07e in decompileIF /root/libming-asan/util/decompile.c:2581
#8 0x41e715 in decompileAction /root/libming-asan/util/decompile.c:3260
#9 0x41eba0 in decompileActions /root/libming-asan/util/decompile.c:3419
#10 0x41eccd in decompile5Action /root/libming-asan/util/decompile.c:3441
#11 0x40d221 in outputSWF_INITACTION /root/libming-asan/util/outputscript.c:1860
#12 0x40e331 in outputBlock /root/libming-asan/util/outputscript.c:2083
#13 0x40f3d9 in readMovie /root/libming-asan/util/main.c:286
#14 0x40fb0e in main /root/libming-asan/util/main.c:359
#15 0x7f7d597b682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#16 0x401b58 in _start (/usr/local/libming-asan/bin/swftocxx+0x401b58)
AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/libming-asan/util/decompile.c:408 getName
Shadow bytes around the buggy address:
0x0c167fff9ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c167fff9ef0: fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa
0x0c167fff9f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==13696==ABORTING
POC FILE:https://github.com/fantasy7082/image_test/blob/master/012-heap-over-swf
Metadata
Metadata
Assignees
Labels
No labels