You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On latest version of libming, there is a heap-use-after-free in decompileArithmeticOp function of decompile.c, which could be triggered by the POC below.
OUTPUT:
header indicates a filesize of 140 but filesize is 166
setDimension(11000, 8000);
/* SWF_DOACTION */
=================================================================
==60331==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000000040 at pc 0x00000041eed4 bp 0x7ffec73572d0 sp 0x7ffec73572c8
READ of size 8 at 0x603000000040 thread T0
#0 0x41eed3 in getString /u/test/product/libming/master/src/util/decompile.c:349
#1 0x42691d in decompileArithmeticOp /u/test/product/libming/master/src/util/decompile.c:1080
#2 0x44af74 in decompileActions /u/test/product/libming/master/src/util/decompile.c:3419
#3 0x44af74 in decompile5Action /u/test/product/libming/master/src/util/decompile.c:3441
#4 0x411740 in outputSWF_DOACTION /u/test/product/libming/master/src/util/outputscript.c:1551
#5 0x402b69 in readMovie /u/test/product/libming/master/src/util/main.c:286
#6 0x402b69 in main /u/test/product/libming/master/src/util/main.c:359
#7 0x7f65a8dbfc04 in __libc_start_main (/lib64/libc.so.6+0x21c04)
#8 0x4043d3 (/home/test/product/libming/master/exe_asan/bin/swftophp+0x4043d3)
The text was updated successfully, but these errors were encountered:
On latest version of libming, there is a heap-use-after-free in decompileArithmeticOp function of decompile.c, which could be triggered by the POC below.
To reproduce the issue, run: ./bin/swftophp $POC
POC could be downloaded at: https://github.com/ProbeFuzzer/poc/blob/master/libming/libming_0-4-8_swftophp_heap-use-after-free_bmpdecompileArithmeticOp.swf
OUTPUT:
setDimension(11000, 8000); /* SWF_DOACTION */ ================================================================= ==60331==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000000040 at pc 0x00000041eed4 bp 0x7ffec73572d0 sp 0x7ffec73572c8 READ of size 8 at 0x603000000040 thread T0 #0 0x41eed3 in getString /u/test/product/libming/master/src/util/decompile.c:349 #1 0x42691d in decompileArithmeticOp /u/test/product/libming/master/src/util/decompile.c:1080 #2 0x44af74 in decompileActions /u/test/product/libming/master/src/util/decompile.c:3419 #3 0x44af74 in decompile5Action /u/test/product/libming/master/src/util/decompile.c:3441 #4 0x411740 in outputSWF_DOACTION /u/test/product/libming/master/src/util/outputscript.c:1551 #5 0x402b69 in readMovie /u/test/product/libming/master/src/util/main.c:286 #6 0x402b69 in main /u/test/product/libming/master/src/util/main.c:359 #7 0x7f65a8dbfc04 in __libc_start_main (/lib64/libc.so.6+0x21c04) #8 0x4043d3 (/home/test/product/libming/master/exe_asan/bin/swftophp+0x4043d3)header indicates a filesize of 140 but filesize is 166
The text was updated successfully, but these errors were encountered: