multiple heap-use-after-frees in decompile.c

[traceprobe]

In latest release version (0.4.8) of libming, there are multiple heap-use-after frees in decompileGETVARIABLE/decompileSingleArgBuiltInFunctionCall/decompilePUSHPARAM/decompileDELETE/decompileSETTARGET/decompileSUBSTRING/decompileNEWOBJECT functions of decompile.c, which could be triggered by the POCs below.

To reproduce the issue, compile with ASAN and run: ./swftophp $POC

• ./swftophp libming_0-4-8_swftophp_heap-use-after-free_decompilePUSHPARAM.swf
  =================================================================
  ==28793==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000000070 at pc 0x00000041fef9 bp 0x7ffc4b054a30 sp 0x7ffc4b054a28
  READ of size 8 at 0x603000000070 thread T0
  #0 0x41fef8 in getName /u/test/test/product/libming/master/src/util/decompile.c:398
  Python: Fix typo 'uft-8' #1 0x421024 in decompilePUSHPARAM /u/test/test/product/libming/master/src/util/decompile.c:789
  src/blocks/videostream.c "special case" comment #2 0x42f155 in decompileSETMEMBER /u/test/test/product/libming/master/src/util/decompile.c:1704
  test/actionscript/ActionScriptTest.c fails on OpenBSD 4.9 #3 0x42f155 in decompileAction /u/test/test/product/libming/master/src/util/decompile.c:3220
  In test/Font listswf is dumping core #4 0x44af74 in decompileActions /u/test/test/product/libming/master/src/util/decompile.c:3419
  SWFBitmap cannot import JPG file in Python #5 0x44af74 in decompile5Action /u/test/test/product/libming/master/src/util/decompile.c:3441
  PHP module: version warnings under httpd #6 0x411740 in outputSWF_DOACTION /u/test/test/product/libming/master/src/util/outputscript.c:1551
  Movie output functions modified #7 0x402b69 in readMovie /u/test/test/product/libming/master/src/util/main.c:286
  php_ext/config.m4 missing #8 0x402b69 in main /u/test/test/product/libming/master/src/util/main.c:359
  ming 0.4.4 php_ext fails to build with php 5.4 #9 0x7efe9f3e0c04 in __libc_start_main (/lib64/libc.so.6+0x21c04)
  php extension does not compile against a ZTS enabled php 5.4 #10 0x4043d3 (/home/test/test/product/libming/master/exe_asan/bin/swftophp+0x4043d3)

• ./swftophp libming_0-4-8_swftophp_heap-use-after-free_decompileSingleArgBuiltInFunctionCall.swf
  ==28096==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000000048 at pc 0x00000041eed4 bp 0x7ffd4a70ba40 sp 0x7ffd4a70ba38
  READ of size 8 at 0x603000000048 thread T0
  #0 0x41eed3 in getString /u/test/test/product/libming/master/src/util/decompile.c:349
  Python: Fix typo 'uft-8' #1 0x42550c in newVar_N /u/test/test/product/libming/master/src/util/decompile.c:661
  src/blocks/videostream.c "special case" comment #2 0x42550c in decompileSingleArgBuiltInFunctionCall /u/test/test/product/libming/master/src/util/decompile.c:2919
  test/actionscript/ActionScriptTest.c fails on OpenBSD 4.9 #3 0x44af74 in decompileActions /u/test/test/product/libming/master/src/util/decompile.c:3419
  In test/Font listswf is dumping core #4 0x44af74 in decompile5Action /u/test/test/product/libming/master/src/util/decompile.c:3441
  SWFBitmap cannot import JPG file in Python #5 0x411740 in outputSWF_DOACTION /u/test/test/product/libming/master/src/util/outputscript.c:1551
  PHP module: version warnings under httpd #6 0x402b69 in readMovie /u/test/test/product/libming/master/src/util/main.c:286
  Movie output functions modified #7 0x402b69 in main /u/test/test/product/libming/master/src/util/main.c:359
  php_ext/config.m4 missing #8 0x7f37e92b9c04 in __libc_start_main (/lib64/libc.so.6+0x21c04)
  ming 0.4.4 php_ext fails to build with php 5.4 #9 0x4043d3 (/home/test/test/product/libming/master/exe_asan/bin/swftophp+0x4043d3)

• ./swftophp libming_0-4-8_swftophp_heap-use-after-free_decompileGETVARIABLE.swf
  =================================================================
  ==27803==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000000a0 at pc 0x00000041fef9 bp 0x7ffd58d86db0 sp 0x7ffd58d86da8
  READ of size 8 at 0x6030000000a0 thread T0
  #0 0x41fef8 in getName /u/test/test/product/libming/master/src/util/decompile.c:398
  Python: Fix typo 'uft-8' #1 0x42bd46 in decompileGETVARIABLE /u/test/test/product/libming/master/src/util/decompile.c:1741
  src/blocks/videostream.c "special case" comment #2 0x42bd46 in decompileAction /u/test/test/product/libming/master/src/util/decompile.c:3224
  test/actionscript/ActionScriptTest.c fails on OpenBSD 4.9 #3 0x44af74 in decompileActions /u/test/test/product/libming/master/src/util/decompile.c:3419
  In test/Font listswf is dumping core #4 0x44af74 in decompile5Action /u/test/test/product/libming/master/src/util/decompile.c:3441
  SWFBitmap cannot import JPG file in Python #5 0x411740 in outputSWF_DOACTION /u/test/test/product/libming/master/src/util/outputscript.c:1551
  PHP module: version warnings under httpd #6 0x402b69 in readMovie /u/test/test/product/libming/master/src/util/main.c:286
  Movie output functions modified #7 0x402b69 in main /u/test/test/product/libming/master/src/util/main.c:359
  php_ext/config.m4 missing #8 0x7f9864a5ac04 in __libc_start_main (/lib64/libc.so.6+0x21c04)
  ming 0.4.4 php_ext fails to build with php 5.4 #9 0x4043d3 (/home/test/test/product/libming/master/exe_asan/bin/swftophp+0x4043d3)

• ./swftophp libming_0-4-8_swftophp_heap-use-after-free_decompileDELETE.swf
  ==35898==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000000a0 at pc 0x00000041fef9 bp 0x7ffed5de42b0 sp 0x7ffed5de42a8
  READ of size 8 at 0x6030000000a0 thread T0
  #0 0x41fef8 in getName /u/test/test/product/libming/master/src/util/decompile.c:398
  Python: Fix typo 'uft-8' #1 0x430da0 in decompileDELETE /u/test/test/product/libming/master/src/util/decompile.c:3057
  src/blocks/videostream.c "special case" comment #2 0x430da0 in decompileAction /u/test/test/product/libming/master/src/util/decompile.c:3320
  test/actionscript/ActionScriptTest.c fails on OpenBSD 4.9 #3 0x44af74 in decompileActions /u/test/test/product/libming/master/src/util/decompile.c:3419
  In test/Font listswf is dumping core #4 0x44af74 in decompile5Action /u/test/test/product/libming/master/src/util/decompile.c:3441
  SWFBitmap cannot import JPG file in Python #5 0x411740 in outputSWF_DOACTION /u/test/test/product/libming/master/src/util/outputscript.c:1551
  PHP module: version warnings under httpd #6 0x402b69 in readMovie /u/test/test/product/libming/master/src/util/main.c:286
  Movie output functions modified #7 0x402b69 in main /u/test/test/product/libming/master/src/util/main.c:359
  php_ext/config.m4 missing #8 0x7fd570f46c04 in __libc_start_main (/lib64/libc.so.6+0x21c04)
  ming 0.4.4 php_ext fails to build with php 5.4 #9 0x4043d3 (/home/test/test/product/libming/master/exe_asan/bin/swftophp+0x4043d3)

• ./swftophp libming_0-4-8_swftophp_heap-use-after-free_decompileSETTARGET.swf
  =================================================================
  ==100705==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000000050 at pc 0x00000056504b bp 0x7ffc0c550710 sp 0x7ffc0c550708
  READ of size 8 at 0x603000000050 thread T0
  #0 0x56504a in getString /u/test/test/product/libming/master/src/util/decompile.c:349:22
  Python: Fix typo 'uft-8' #1 0x561ad4 in decompileSETTARGET /u/test/test/product/libming/master/src/util/decompile.c:3077:20
  src/blocks/videostream.c "special case" comment #2 0x53098c in decompileAction /u/test/test/product/libming/master/src/util/decompile.c
  test/actionscript/ActionScriptTest.c fails on OpenBSD 4.9 #3 0x562a22 in decompileActions /u/test/test/product/libming/master/src/util/decompile.c:3419:6
  In test/Font listswf is dumping core #4 0x562a22 in decompile5Action /u/test/test/product/libming/master/src/util/decompile.c:3441
  SWFBitmap cannot import JPG file in Python #5 0x522350 in outputSWF_DOACTION /u/test/test/product/libming/master/src/util/outputscript.c:1552:29
  PHP module: version warnings under httpd #6 0x520727 in outputBlock /u/test/test/product/libming/master/src/util/outputscript.c:2083:4
  Movie output functions modified #7 0x5275be in readMovie /u/test/test/product/libming/master/src/util/main.c:286:4
  php_ext/config.m4 missing #8 0x5275be in main /u/test/test/product/libming/master/src/util/main.c:359
  ming 0.4.4 php_ext fails to build with php 5.4 #9 0x7f15619f9c04 in __libc_start_main (/lib64/libc.so.6+0x21c04)
  php extension does not compile against a ZTS enabled php 5.4 #10 0x41b49b in _start (/home/test/test/product/libming/master/exe_asan/bin/swftophp+0x41b49b)

• ./swftophp libming_0-4-8_swftophp_heap-use-after-free_decompileSUBSTRING.swf
  =================================================================
  ==101693==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000000a8 at pc 0x00000056504b bp 0x7ffe779a7e30 sp 0x7ffe779a7e28
  READ of size 8 at 0x6030000000a8 thread T0
  #0 0x56504a in getString /u/test/test/product/libming/master/src/util/decompile.c:349:22
  Python: Fix typo 'uft-8' #1 0x5653bd in newVar_N /u/test/test/product/libming/master/src/util/decompile.c:661:14
  src/blocks/videostream.c "special case" comment #2 0x52a1af in decompileSUBSTRING /u/test/test/product/libming/master/src/util/decompile.c:2948:7
  test/actionscript/ActionScriptTest.c fails on OpenBSD 4.9 #3 0x52a1af in decompileAction /u/test/test/product/libming/master/src/util/decompile.c:3375
  In test/Font listswf is dumping core #4 0x562a22 in decompileActions /u/test/test/product/libming/master/src/util/decompile.c:3419:6
  SWFBitmap cannot import JPG file in Python #5 0x562a22 in decompile5Action /u/test/test/product/libming/master/src/util/decompile.c:3441
  PHP module: version warnings under httpd #6 0x522350 in outputSWF_DOACTION /u/test/test/product/libming/master/src/util/outputscript.c:1552:29
  Movie output functions modified #7 0x520727 in outputBlock /u/test/test/product/libming/master/src/util/outputscript.c:2083:4
  php_ext/config.m4 missing #8 0x5275be in readMovie /u/test/test/product/libming/master/src/util/main.c:286:4
  ming 0.4.4 php_ext fails to build with php 5.4 #9 0x5275be in main /u/test/test/product/libming/master/src/util/main.c:359
  php extension does not compile against a ZTS enabled php 5.4 #10 0x7fc18940ac04 in __libc_start_main (/lib64/libc.so.6+0x21c04)
  issue hardcode SWFOutput_numSBits(dx) #11 0x41b49b in _start (/home/test/test/product/libming/master/exe_asan/bin/swftophp+0x41b49b)

• ./swftophp libming_0-4-8_swftophp_heap-use-after-free_decompileNEWOBJECT.swf
  =================================================================
  ==158903==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000000040 at pc 0x00000056504b bp 0x7fff4f8d2250 sp 0x7fff4f8d2248
  READ of size 8 at 0x603000000040 thread T0
  #0 0x56504a in getString /u/test/test/product/libming/master/src/util/decompile.c:349:22
  Python: Fix typo 'uft-8' #1 0x5653bd in newVar_N /u/test/test/product/libming/master/src/util/decompile.c:661:14
  src/blocks/videostream.c "special case" comment #2 0x532eed in decompileNEWOBJECT /u/test/test/product/libming/master/src/util/decompile.c:1602:7
  test/actionscript/ActionScriptTest.c fails on OpenBSD 4.9 #3 0x532eed in decompileAction /u/test/test/product/libming/master/src/util/decompile.c:3208
  In test/Font listswf is dumping core #4 0x562a22 in decompileActions /u/test/test/product/libming/master/src/util/decompile.c:3419:6
  SWFBitmap cannot import JPG file in Python #5 0x562a22 in decompile5Action /u/test/test/product/libming/master/src/util/decompile.c:3441
  PHP module: version warnings under httpd #6 0x522350 in outputSWF_DOACTION /u/test/test/product/libming/master/src/util/outputscript.c:1552:29
  Movie output functions modified #7 0x520727 in outputBlock /u/test/test/product/libming/master/src/util/outputscript.c:2083:4
  php_ext/config.m4 missing #8 0x5275be in readMovie /u/test/test/product/libming/master/src/util/main.c:286:4
  ming 0.4.4 php_ext fails to build with php 5.4 #9 0x5275be in main /u/test/test/product/libming/master/src/util/main.c:359
  php extension does not compile against a ZTS enabled php 5.4 #10 0x7f419fb2ec04 in __libc_start_main (/lib64/libc.so.6+0x21c04)
  issue hardcode SWFOutput_numSBits(dx) #11 0x41b49b in _start (/home/test/test/product/libming/master/exe_asan/bin/swftophp+0x41b49b)

• ./swftophp libming_0-4-8_swftophp_heap-use-after-free_decompileIMPLEMENTS.swf
  ==174163==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000000048 at pc 0x000000563fec bp 0x7fff05f34e40 sp 0x7fff05f34e38
  READ of size 8 at 0x603000000048 thread T0
  #0 0x563feb in getName /u/test/test/product/libming/master/src/util/decompile.c:398:22
  Python: Fix typo 'uft-8' #1 0x533d0c in decompileIMPLEMENTS /u/test/test/product/libming/master/src/util/decompile.c:3107:2
  src/blocks/videostream.c "special case" comment #2 0x533d0c in decompileAction /u/test/test/product/libming/master/src/util/decompile.c:3393
  test/actionscript/ActionScriptTest.c fails on OpenBSD 4.9 #3 0x562a22 in decompileActions /u/test/test/product/libming/master/src/util/decompile.c:3419:6
  In test/Font listswf is dumping core #4 0x562a22 in decompile5Action /u/test/test/product/libming/master/src/util/decompile.c:3441
  SWFBitmap cannot import JPG file in Python #5 0x522350 in outputSWF_DOACTION /u/test/test/product/libming/master/src/util/outputscript.c:1552:29
  PHP module: version warnings under httpd #6 0x520727 in outputBlock /u/test/test/product/libming/master/src/util/outputscript.c:2083:4
  Movie output functions modified #7 0x5275be in readMovie /u/test/test/product/libming/master/src/util/main.c:286:4
  php_ext/config.m4 missing #8 0x5275be in main /u/test/test/product/libming/master/src/util/main.c:359
  ming 0.4.4 php_ext fails to build with php 5.4 #9 0x7f43ea169c04 in __libc_start_main (/lib64/libc.so.6+0x21c04)
  php extension does not compile against a ZTS enabled php 5.4 #10 0x41b49b in _start (/home/test/test/product/libming/master/exe_asan/bin/swftophp+0x41b49b)

libming_poc.zip

[hlef]

None of these reproducible with latest master, all duplicates of former issues.

Please, do not request CVE numbers before checking reproducibility and similarity with earlier / fixed in master issues.

[hlef]

FTR, this was fixed in 3a000c7.

[traceprobe]

Thanks for your comments. And I double-checked this issue.

While this issue is still reproducible in the latest release version (0.4.8 released on Apr. 7 2017), it's already fixed in earlier commits (3a000c7) when the author is trying to fix several heap-overflows, even before such issue is created. I would check out the latest commit if I encounter any problem with libming.