On latest release version of libming (0.4.8), these is a heap-use-after-free in function decompileCALLFUNCTION of decompile.c, which could be triggered by the POC below.
OUTPUT:
/u/test/product/libming/master/exe_asan/bin/swftophp /u/test/fuzz/nclibming/output/poc/id:000015,sig:06,src:000000,op:havoc,rep:4.swf
header indicates a filesize of 130 but filesize is 140
setDimension(11000, 6142);
/* Note: xMin and/or yMin are not 0! */
/* SWF_DOACTION */
=================================================================
==141122==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000000070 at pc 0x00000041eed4 bp 0x7ffe2359b230 sp 0x7ffe2359b228
READ of size 8 at 0x603000000070 thread T0
#0 0x41eed3 in getString /u/test/product/libming/master/src/util/decompile.c:349
#1 0x4221ee in newVar_N /u/test/product/libming/master/src/util/decompile.c:661
#2 0x4318e6 in decompileCALLFUNCTION /u/test/product/libming/master/src/util/decompile.c:2895
#3 0x4318e6 in decompileAction /u/test/product/libming/master/src/util/decompile.c:3282
#4 0x44af74 in decompileActions /u/test/product/libming/master/src/util/decompile.c:3419
#5 0x44af74 in decompile5Action /u/test/product/libming/master/src/util/decompile.c:3441
#6 0x411740 in outputSWF_DOACTION /u/test/product/libming/master/src/util/outputscript.c:1551
#7 0x402b69 in readMovie /u/test/product/libming/master/src/util/main.c:286
#8 0x402b69 in main /u/test/product/libming/master/src/util/main.c:359
#9 0x7fd2c9a85c04 in __libc_start_main (/lib64/libc.so.6+0x21c04)
#10 0x4043d3 (/home/test/product/libming/master/exe_asan/bin/swftophp+0x4043d3)
The text was updated successfully, but these errors were encountered:
On latest release version of libming (0.4.8), these is a heap-use-after-free in function decompileCALLFUNCTION of decompile.c, which could be triggered by the POC below.
To reproduce the issue, run: ./bin/swftophp $POC
POC could be downloaded at: https://github.com/traceprobe/POC/blob/master/libming/libming_0-4-8_swftophp_heap-use-after-free_decompileCALLFUNCTION.swf
OUTPUT:
setDimension(11000, 6142); /* Note: xMin and/or yMin are not 0! */ /* SWF_DOACTION */ ================================================================= ==141122==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000000070 at pc 0x00000041eed4 bp 0x7ffe2359b230 sp 0x7ffe2359b228 READ of size 8 at 0x603000000070 thread T0 #0 0x41eed3 in getString /u/test/product/libming/master/src/util/decompile.c:349 #1 0x4221ee in newVar_N /u/test/product/libming/master/src/util/decompile.c:661 #2 0x4318e6 in decompileCALLFUNCTION /u/test/product/libming/master/src/util/decompile.c:2895 #3 0x4318e6 in decompileAction /u/test/product/libming/master/src/util/decompile.c:3282 #4 0x44af74 in decompileActions /u/test/product/libming/master/src/util/decompile.c:3419 #5 0x44af74 in decompile5Action /u/test/product/libming/master/src/util/decompile.c:3441 #6 0x411740 in outputSWF_DOACTION /u/test/product/libming/master/src/util/outputscript.c:1551 #7 0x402b69 in readMovie /u/test/product/libming/master/src/util/main.c:286 #8 0x402b69 in main /u/test/product/libming/master/src/util/main.c:359 #9 0x7fd2c9a85c04 in __libc_start_main (/lib64/libc.so.6+0x21c04) #10 0x4043d3 (/home/test/product/libming/master/exe_asan/bin/swftophp+0x4043d3)/u/test/product/libming/master/exe_asan/bin/swftophp /u/test/fuzz/nclibming/output/poc/id:000015,sig:06,src:000000,op:havoc,rep:4.swf
header indicates a filesize of 130 but filesize is 140
The text was updated successfully, but these errors were encountered: