Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SIGSEGV in decompileJUMP in decompile.c:1932 #141

Open
c1208828 opened this issue May 14, 2018 · 3 comments
Open

SIGSEGV in decompileJUMP in decompile.c:1932 #141

c1208828 opened this issue May 14, 2018 · 3 comments
Assignees

Comments

@c1208828
Copy link

c1208828 commented May 14, 2018

https://docs.google.com/document/d/13xJhiIgDbqYwmR4j7aGEbKUU8KDl195mkw4rcvhT4J8/edit?usp=sharing
https://drive.google.com/open?id=1E7fkmjdvePRnsDoI1wpuZka0moHG7egl

Program received signal SIGSEGV, Segmentation fault.
0x000000000043a1e9 in decompileJUMP (maxn=6, actions=0x691740, n=4) at decompile.c:1932
1932 if (sactif->Actions[sactif->numActions-1].SWF_ACTIONRECORD.ActionCode==SWFACTION_JUMP
(gdb) bt
#0 0x000000000043a1e9 in decompileJUMP (maxn=6, actions=0x691740, n=4) at decompile.c:1932
#1 decompileAction (n=4, actions=0x691740, maxn=6) at decompile.c:3325
#2 0x0000000000440a65 in decompileActions (indent=, actions=0x691740, n=6) at decompile.c:3494
#3 decompileSETTARGET (n=, actions=, maxn=, is_type2=)
at decompile.c:3169
#4 0x000000000045752d in decompileActions (indent=, actions=0x6916a0, n=7) at decompile.c:3494
#5 decompile5Action (n=7, actions=0x6916a0, indent=indent@entry=0) at decompile.c:3517
#6 0x000000000040f34a in outputSWF_DOACTION (pblock=0x691250) at outputscript.c:1551
#7 0x000000000040211e in readMovie (f=0x690010) at main.c:281
#8 main (argc=, argv=) at main.c:354

Breakpoint 1, decompileJUMP (maxn=6, actions=0x691740, n=4) at decompile.c:1932
1932 if (sactif->Actions[sactif->numActions-1].SWF_ACTIONRECORD.ActionCode==SWFACTION_JUMP
(gdb) l
1927
1928 if (OpCode(actions, n+i+j, maxn) == SWFACTION_IF)
1929 {
1930 sactif = (struct SWF_ACTIONIF )&(actions[n+i+j]);
1931 /
chk whether last jump does lead us back to start of loop */
1932 if (sactif->Actions[sactif->numActions-1].SWF_ACTIONRECORD.ActionCode==SWFACTION_JUMP
1933 && sactif->Actions[sactif->numActions-1].SWF_ACTIONJUMP.BranchOffset+
1934 sactif->Actions[sactif->numActions-1].SWF_ACTIONJUMP.Offset==
1935 actions[n].SWF_ACTIONRECORD.Offset )
1936 {

@c1208828 c1208828 changed the title SIGSEV in decompileJUMP in decompile.c:1932 SIGSEGV in decompileJUMP in decompile.c:1932 May 16, 2018
@FIOpwK
Copy link

FIOpwK commented May 17, 2018

assigned CVE:

CVE-2018-9009 (https://nvd.nist.gov/vuln/detail/CVE-2018-9009):
In libming 0.4.8, there is a use-after-free in the decompileJUMP function of
the decompile.c file.

@hlef
Copy link
Contributor

hlef commented Jun 30, 2018

@FIOpwK No, this issue was assigned CVE-2018-11095. Why do you think this is a duplicate of #131 ?

@c1208828 Not reproducible on latest master. Seems to be fixed by 2027b24. Please, do not ask for CVE numbers before checking for reproducibility on latest master.

@hlef
Copy link
Contributor

hlef commented Jun 30, 2018

Alright, duplicate of #82.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants