New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Null pointer dereference in getInt (decompile.c) #133
Comments
|
The Fix: As usual when dealing with I will wait for the currently open PR before pushing this patch. |
When getInt is passed a PUSH_REGISTER parameter, it retrieves the content of this register and returns the value contained by this register as an int. When this register is empty, we call getInt with a NULL pointer and a null pointer dereference occurs. In this patch we first make sure that regs[act->p.RegisterNumber] is not NULL before doing anything with it. Fixes libming#133 (CVE-2018-9132).
On latest version (0.4.8) of libming and commit 50e2bf7, there is a null pointer dereference in getInt function of decompile.c file, which could be triggered by the POC below.
To reproduce the issue, run ./swftophp $POC
The POC is attached.
==146840==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x00000042c454 bp 0x000000000022 sp 0x7ffca3ae5e10 T0)
==146840==The signal is caused by a READ memory access.
==146840==Hint: address points to the zero page.
#0 0x42c453 in getInt /u/test/test/product/libming/master/src/util/decompile.c:455
#1 0x42c453 in decompileGETPROPERTY /u/test/test/product/libming/master/src/util/decompile.c:1445
#2 0x42c453 in decompileAction /u/test/test/product/libming/master/src/util/decompile.c:3226
#3 0x44a0e4 in decompileActions /u/test/test/product/libming/master/src/util/decompile.c:3460
#4 0x44a0e4 in decompile5Action /u/test/test/product/libming/master/src/util/decompile.c:3483
#5 0x410b70 in outputSWF_DOACTION /u/test/test/product/libming/master/src/util/outputscript.c:1551
#6 0x402a48 in readMovie /u/test/test/product/libming/master/src/util/main.c:281
#7 0x402a48 in main /u/test/test/product/libming/master/src/util/main.c:354
#8 0x7fd038bc2c04 in __libc_start_main (/usr/lib64/libc.so.6+0x21c04)
#9 0x404073 (/home/test/test/product/libming/master/exe_asan/bin/swftophp+0x404073)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /u/test/test/product/libming/master/src/util/decompile.c:455 in getInt
==146840==ABORTING
libming_0-4-8_swftophp_null-pointer-dereference_getInt.swf.zip
The text was updated successfully, but these errors were encountered: