Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid memory address dereference in function decompileGETVARIABLE and getName (in util/decompile.c:398) #122

Closed
fantasy7082 opened this issue Mar 9, 2018 · 1 comment · Fixed by #125

Comments

@fantasy7082
Copy link

Hi, i found a issue in the libming 0.4.8. it is crashed by function decompileSingleArgBuiltInFunctionCall to getString It just cause a Invalid memory address dereference.the details are below(ASAN):

./swftocxx 014-unknown-def-swf-398 /dev/null
...
...
ASAN:SIGSEGV
=================================================================
==1855==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x0000004113e6 bp 0x7ffca8535b80 sp 0x7ffca8535b60 T0)
    #0 0x4113e5 in getName /root/libming-asan/util/decompile.c:398
    #1 0x416882 in decompileGETVARIABLE /root/libming-asan/util/decompile.c:1741
    #2 0x41e5f5 in decompileAction /root/libming-asan/util/decompile.c:3224
    #3 0x41eba0 in decompileActions /root/libming-asan/util/decompile.c:3419
    #4 0x41eccd in decompile5Action /root/libming-asan/util/decompile.c:3441
    #5 0x4066c6 in outputSWF_DEFINEBUTTON2 /root/libming-asan/util/outputscript.c:931
    #6 0x40e331 in outputBlock /root/libming-asan/util/outputscript.c:2083
    #7 0x40f3d9 in readMovie /root/libming-asan/util/main.c:286
    #8 0x40fb0e in main /root/libming-asan/util/main.c:359
    #9 0x7f2cdba7082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #10 0x401b58 in _start (/usr/local/libming-asan/bin/swftocxx+0x401b58)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/libming-asan/util/decompile.c:398 getName
==1855==ABORTING

POC FILE:https://github.com/fantasy7082/image_test/blob/master/014-unknown-def-swf-398

@hlef
Copy link
Contributor

hlef commented Mar 12, 2018

Reproducible on latest master. Very similar to #112 and #123, will be fixed by the same patch.

FTR, this issue was not assigned a CVE number.

hlef added a commit to hlef/libming that referenced this issue Mar 12, 2018
Constants are usually retrieved from the constant pool without verifying
that the pool actually contains them, which may lead to various heap
buffer overflow issues.

In this patch we add a counter keeping track of how many elements the pool
contains, and checks making sure that whenever the pool is accessed, the
constant in present in the pool (constant position < pool counter).

This patch fixes libming#112 (CVE-2018-7875), fixes libming#123, fixes libming#122.
hlef added a commit to hlef/libming that referenced this issue Mar 12, 2018
Constants are usually retrieved from the constant pool without verifying
that the pool actually contains them, which may lead to various heap
buffer overflow issues.

In this patch we add a counter keeping track of how many elements the pool
contains, and checks making sure that whenever the pool is accessed, the
constant in present in the pool (constant position < pool counter).

This patch fixes libming#112 (CVE-2018-7875), fixes libming#123, fixes libming#122.
hlef added a commit to hlef/libming that referenced this issue Mar 12, 2018
Constants are usually retrieved from the constant pool without verifying
that the pool actually contains them, which may lead to various heap
buffer overflow issues.

In this patch we add a counter keeping track of how many elements the pool
contains, and checks making sure that whenever the pool is accessed, the
constant in present in the pool (constant position < pool counter).

This patch fixes libming#112 (CVE-2018-7875), libming#120 (CVE-2018-7871), fixes libming#123,
fixes libming#122.
hlef added a commit to hlef/libming that referenced this issue Mar 12, 2018
Constants are usually retrieved from the constant pool without verifying
that the pool actually contains them, which may lead to various heap
buffer overflow issues.

In this patch we add a counter keeping track of how many elements the pool
contains, and checks making sure that whenever the pool is accessed, the
constant in present in the pool (constant position < pool counter).

Also, do not return "" when a pointer is excepted (it should be legal to free
this return value).

This patch fixes libming#112 (CVE-2018-7875), fixes libming#120 (CVE-2018-7871),
fixes libming#117 (CVE-2018-7870), fixes libming#122, fixes libming#123.
hlef added a commit to hlef/libming that referenced this issue Mar 12, 2018
Constants are usually retrieved from the constant pool without verifying
that the pool actually contains them, which may lead to various heap
buffer overflow issues.

In this patch we add a counter keeping track of how many elements the pool
contains, and checks making sure that whenever the pool is accessed, the
constant in present in the pool (constant position < pool counter).

Also, do not return "" when a pointer is excepted (it should be legal to free
this return value).

This patch fixes libming#112 (CVE-2018-7875), fixes libming#120 (CVE-2018-7871),
fixes libming#117 (CVE-2018-7870), fixes libming#122, fixes libming#123.
hlef added a commit to hlef/libming that referenced this issue Mar 12, 2018
Constants are usually retrieved from the constant pool without verifying
that the pool actually contains them, which may lead to various heap
buffer overflow issues.

In this patch we add a counter keeping track of how many elements the pool
contains, and checks making sure that whenever the pool is accessed, the
constant in present in the pool (constant position < pool counter).

Also, do not return "" when a pointer is excepted (it should be legal to free
this return value).

This patch fixes libming#112 (CVE-2018-7875), fixes libming#120 (CVE-2018-7871),
fixes libming#117 (CVE-2018-7870), fixes libming#114 (CVE-2018-7872), fixes libming#122,
fixes libming#123.
hlef added a commit to hlef/libming that referenced this issue Mar 12, 2018
Constants are usually retrieved from the constant pool without verifying
that the pool actually contains them, which may lead to various heap
buffer overflow issues.

In this patch we add a counter keeping track of how many elements the pool
contains, and checks making sure that whenever the pool is accessed, the
constant in present in the pool (constant position < pool counter).

Also, do not return "" when a pointer is excepted (it should be legal to free
this return value).

This patch fixes libming#112 (CVE-2018-7875), fixes libming#120 (CVE-2018-7871),
fixes libming#117 (CVE-2018-7870), fixes libming#114 (CVE-2018-7872), fixes libming#122,
fixes libming#113 (CVE-2018-7868), fixes libming#123.
@strk strk closed this as completed in #125 Mar 13, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants