Skip to content

Null pointer dereference in getInt (decompile.c) #133

Closed
@traceprobe

Description

@traceprobe

On latest version (0.4.8) of libming and commit 50e2bf7, there is a null pointer dereference in getInt function of decompile.c file, which could be triggered by the POC below.

To reproduce the issue, run ./swftophp $POC
The POC is attached.

==146840==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x00000042c454 bp 0x000000000022 sp 0x7ffca3ae5e10 T0)
==146840==The signal is caused by a READ memory access.
==146840==Hint: address points to the zero page.
#0 0x42c453 in getInt /u/test/test/product/libming/master/src/util/decompile.c:455
#1 0x42c453 in decompileGETPROPERTY /u/test/test/product/libming/master/src/util/decompile.c:1445
#2 0x42c453 in decompileAction /u/test/test/product/libming/master/src/util/decompile.c:3226
#3 0x44a0e4 in decompileActions /u/test/test/product/libming/master/src/util/decompile.c:3460
#4 0x44a0e4 in decompile5Action /u/test/test/product/libming/master/src/util/decompile.c:3483
#5 0x410b70 in outputSWF_DOACTION /u/test/test/product/libming/master/src/util/outputscript.c:1551
#6 0x402a48 in readMovie /u/test/test/product/libming/master/src/util/main.c:281
#7 0x402a48 in main /u/test/test/product/libming/master/src/util/main.c:354
#8 0x7fd038bc2c04 in __libc_start_main (/usr/lib64/libc.so.6+0x21c04)
#9 0x404073 (/home/test/test/product/libming/master/exe_asan/bin/swftophp+0x404073)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /u/test/test/product/libming/master/src/util/decompile.c:455 in getInt
==146840==ABORTING

libming_0-4-8_swftophp_null-pointer-dereference_getInt.swf.zip

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions