Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in getInt (decompile.c) #133

Closed
traceprobe opened this issue Mar 29, 2018 · 1 comment
Closed

Null pointer dereference in getInt (decompile.c) #133

traceprobe opened this issue Mar 29, 2018 · 1 comment

Comments

@traceprobe
Copy link

traceprobe commented Mar 29, 2018

On latest version (0.4.8) of libming and commit 50e2bf7, there is a null pointer dereference in getInt function of decompile.c file, which could be triggered by the POC below.

To reproduce the issue, run ./swftophp $POC
The POC is attached.

==146840==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x00000042c454 bp 0x000000000022 sp 0x7ffca3ae5e10 T0)
==146840==The signal is caused by a READ memory access.
==146840==Hint: address points to the zero page.
#0 0x42c453 in getInt /u/test/test/product/libming/master/src/util/decompile.c:455
#1 0x42c453 in decompileGETPROPERTY /u/test/test/product/libming/master/src/util/decompile.c:1445
#2 0x42c453 in decompileAction /u/test/test/product/libming/master/src/util/decompile.c:3226
#3 0x44a0e4 in decompileActions /u/test/test/product/libming/master/src/util/decompile.c:3460
#4 0x44a0e4 in decompile5Action /u/test/test/product/libming/master/src/util/decompile.c:3483
#5 0x410b70 in outputSWF_DOACTION /u/test/test/product/libming/master/src/util/outputscript.c:1551
#6 0x402a48 in readMovie /u/test/test/product/libming/master/src/util/main.c:281
#7 0x402a48 in main /u/test/test/product/libming/master/src/util/main.c:354
#8 0x7fd038bc2c04 in __libc_start_main (/usr/lib64/libc.so.6+0x21c04)
#9 0x404073 (/home/test/test/product/libming/master/exe_asan/bin/swftophp+0x404073)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /u/test/test/product/libming/master/src/util/decompile.c:455 in getInt
==146840==ABORTING

libming_0-4-8_swftophp_null-pointer-dereference_getInt.swf.zip

@hlef
Copy link
Contributor

hlef commented May 14, 2018

The getInt function returns passed SWF_ACTIONPUSHPARAM as an int. When it is passed a PUSH_REGISTER type, it retrieves the content of this register and returns the value contained by this register as an int. When this register is empty, we call getInt with a NULL pointer and a null pointer dereference occurs.

Fix: As usual when dealing with PUSH_REGISTER, we first make sure that regs[act->p.RegisterNumber] is not NULL before doing anything with it.

diff --git a/util/decompile.c b/util/decompile.c
index e9341356..da2ab3d9 100644
--- a/util/decompile.c
+++ b/util/decompile.c
@@ -481,7 +481,15 @@ getInt(struct SWF_ACTIONPUSHPARAM *act)
        case PUSH_NULL: /* NULL */
                return 0;
        case PUSH_REGISTER: /* REGISTER */
-               return getInt(regs[act->p.RegisterNumber]);
+               if (regs[act->p.RegisterNumber])
+               {
+                       return getInt(regs[act->p.RegisterNumber]);
+               }
+               else
+               {
+                       SWF_warn("WARNING: retrieving undefined register values.\n");
+                       break;
+               }
        case PUSH_DOUBLE: /* DOUBLE */
                return (int)act->p.Double;
        case PUSH_INT: /* INTEGER */

I will wait for the currently open PR before pushing this patch.

hlef added a commit to hlef/libming that referenced this issue May 26, 2018
When getInt is passed a PUSH_REGISTER parameter, it retrieves the
content of this register and returns the value contained by this
register as an int. When this register is empty, we call getInt with
a NULL pointer and a null pointer dereference occurs.

In this patch we first make sure that regs[act->p.RegisterNumber] is
not NULL before doing anything with it.

Fixes libming#133 (CVE-2018-9132).
@strk strk closed this as completed in dc65ba0 Jul 12, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants