Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple SIGSEGV in decompileSETTARGET in decompile.c:3153 #142

Open
c1208828 opened this issue May 15, 2018 · 4 comments
Open

Multiple SIGSEGV in decompileSETTARGET in decompile.c:3153 #142

c1208828 opened this issue May 15, 2018 · 4 comments
Assignees

Comments

@c1208828
Copy link

c1208828 commented May 15, 2018

https://docs.google.com/document/d/1N-_obGIyAM5DGcrB7gHy89Oy68aDvxSMjrKaaM7KOFA/edit
https://drive.google.com/open?id=1VIFH7AuKjxhGnOvkqkbGpdgxRWLyX75e

Program received signal SIGSEGV, Segmentation fault.
decompileSETTARGET (n=2, actions=0x691cb0, maxn=9, is_type2=) at decompile.c:3153
3153 if (*name)
(gdb) bt
#0 decompileSETTARGET (n=2, actions=0x691cb0, maxn=9, is_type2=) at decompile.c:3153
#1 0x0000000000452755 in decompileActions (indent=2, actions=0x691cb0, n=9) at decompile.c:3494
#2 decompileIF (n=10, actions=0x691400, maxn=) at decompile.c:2656
#3 0x0000000000440a65 in decompileActions (indent=, actions=0x691400, n=12) at decompile.c:3494
#4 decompileSETTARGET (n=, actions=, maxn=, is_type2=)
at decompile.c:3169
#5 0x000000000045752d in decompileActions (indent=, actions=0x691360, n=13) at decompile.c:3494
#6 decompile5Action (n=13, actions=0x691360, indent=indent@entry=0) at decompile.c:3517
#7 0x000000000040f34a in outputSWF_DOACTION (pblock=0x691250) at outputscript.c:1551
#8 0x000000000040211e in readMovie (f=0x690010) at main.c:281
#9 main (argc=, argv=) at main.c:354

(gdb) l
3148 {
3149 int action_cnt=0;
3150 char *name;
3151 OUT_BEGIN2(SWF_ACTIONSETTARGET);
3152 name = is_type2 ? getString(pop()) : sact->TargetName;
3153 if (*name)
3154 {
3155 INDENT
3156 println("tellTarget('%s') {" ,name);
3157 while(action_cnt+n<maxn)

(gdb) info all-registers
rax 0x0 0
rbx 0x9 9
rcx 0xc 12
rdx 0xc 12
rsi 0x691a20 6887968
rdi 0x6919c0 6887872
rbp 0x0 0x0
rsp 0x7fffffffe160 0x7fffffffe160
r8 0x20 32
r9 0x42a2ff 4367103
r10 0xfffffffffffa5c73 -369549
r11 0x7ffff76720c4 140737344118980
r12 0x0 0
r13 0x2 2
r14 0x691cb0 6888624
r15 0xa 10
rip 0x43f00e 0x43f00e <decompileSETTARGET+222>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
---Type to continue, or q to quit---
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0


https://docs.google.com/document/d/1mmYrxpW0RUvE0fYgvPIUZSXTW1FP1DJspurusTRQP0w/edit
https://drive.google.com/open?id=1kqgqgli5FgzgxsWUBe2fhVKY04ZSOtpF

Program received signal SIGSEGV, Segmentation fault.
decompileSETTARGET (n=9, actions=0x69c5d0, maxn=13, is_type2=) at decompile.c:3153
3153 if (*name)
(gdb) bt
#0 decompileSETTARGET (n=9, actions=0x69c5d0, maxn=13, is_type2=) at decompile.c:3153
#1 0x0000000000451d6d in decompileActions (indent=, actions=, n=13) at decompile.c:3494
#2 decompile_SWITCH (n=0, off1end=, maxn=, actions=0x69c490) at decompile.c:2235
#3 decompileIF (n=, actions=, maxn=) at decompile.c:2594
#4 0x0000000000440a65 in decompileActions (indent=, actions=0x692040, n=12) at decompile.c:3494
#5 decompileSETTARGET (n=, actions=, maxn=, is_type2=)
at decompile.c:3169
#6 0x000000000045752d in decompileActions (indent=, actions=0x691fa0, n=13) at decompile.c:3494
#7 decompile5Action (n=13, actions=0x691fa0, indent=indent@entry=0) at decompile.c:3517
#8 0x000000000040f34a in outputSWF_DOACTION (pblock=0x691250) at outputscript.c:1551
#9 0x000000000040211e in readMovie (f=0x690010) at main.c:281
#10 main (argc=, argv=) at main.c:354
(gdb) l
3148 {
3149 int action_cnt=0;
3150 char *name;
3151 OUT_BEGIN2(SWF_ACTIONSETTARGET);
3152 name = is_type2 ? getString(pop()) : sact->TargetName;
3153 if (*name)
3154 {
3155 INDENT
3156 println("tellTarget('%s') {" ,name);
3157 while(action_cnt+n<maxn)
(gdb) info all-registers
rax 0x0 0
rbx 0xd 13
rcx 0xc 12
rdx 0xc 12
rsi 0x6a6ec0 6975168
rdi 0x691640 6886976
rbp 0x0 0x0
rsp 0x7fffffffe160 0x7fffffffe160
r8 0x20 32
r9 0x42a2ff 4367103
r10 0xfffffffffffa5c73 -369549
r11 0x7ffff76720c4 140737344118980
r12 0x0 0
r13 0x9 9
r14 0x69c5d0 6931920
r15 0x11 17
rip 0x43f00e 0x43f00e <decompileSETTARGET+222>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)

@c1208828 c1208828 changed the title SIGSEV in decompileSETTARGET in decompile.c:3153 Multiple SIGSEV in decompileSETTARGET in decompile.c:3153 May 15, 2018
@c1208828 c1208828 changed the title Multiple SIGSEV in decompileSETTARGET in decompile.c:3153 Multiple SIGSEGV in decompileSETTARGET in decompile.c:3153 May 16, 2018
@hlef
Copy link
Contributor

hlef commented Jul 1, 2018

Those are two different issues. Please, one bug report per issue.

POC3: Duplicate of #118 (CVE-2018-7866). Will be fixed in 2f8b17e.
POC4: Duplicate of the first part of #144 (CVE-2018-11226). Will be fixed in 86badaa.

Once again, please do not ask for CVE numbers before getting confirmation from upstream that the bug is really present and not a duplicate.

@hlef
Copy link
Contributor

hlef commented Jul 1, 2018

BTW, this issue was assigned id CVE-2018-11100.

@hlef hlef self-assigned this Jul 1, 2018
@JsHuang
Copy link

JsHuang commented Sep 21, 2018

This issue is not fixed yet, null pointer dereference still exists in decompileSETTARGET .

@hlef
Copy link
Contributor

hlef commented Sep 22, 2018

The fix for #118 was not merged yet, so yes this is still crashing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants