New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in getName (decompile.c) #160

Open
JsHuang opened this Issue Sep 21, 2018 · 0 comments

Comments

Projects
None yet
1 participant
@JsHuang
Copy link

JsHuang commented Sep 21, 2018

A null pointer dereference bug was found in function getName()(decompile.c:407)

Program received signal SIGSEGV, Segmentation fault.
0x0000000000408376 in getName (act=0x0) at decompile.c:407
407		switch( act->Type ) 	
(gdb) bt
#0  0x0000000000408376 in getName (act=0x0) at decompile.c:407
#1  0x000000000040c42d in decompileRETURN (n=1, actions=0x63c960, maxn=2) at decompile.c:1878
#2  0x000000000040c98e in decompileJUMP (n=1, actions=0x63c960, maxn=2) at decompile.c:1969
#3  0x000000000041106b in decompileAction (n=1, actions=0x63c960, maxn=2) at decompile.c:3325
#4  0x0000000000411546 in decompileActions (n=2, actions=0x63c960, indent=1) at decompile.c:3494
#5  0x000000000040d678 in decompile_SWITCH (n=0, actions=0x63c730, maxn=23, off1end=81) at decompile.c:2235
#6  0x000000000040ea0b in decompileIF (n=7, actions=0x632260, maxn=14) at decompile.c:2594
#7  0x00000000004110bb in decompileAction (n=7, actions=0x632260, maxn=14) at decompile.c:3335
#8  0x0000000000411546 in decompileActions (n=14, actions=0x632260, indent=0) at decompile.c:3494
#9  0x0000000000411648 in decompile5Action (n=14, actions=0x632260, indent=0) at decompile.c:3517
#10 0x0000000000405610 in outputSWF_DOACTION (pblock=0x631250) at outputscript.c:1551
#11 0x0000000000406970 in outputBlock (type=12, blockp=0x631250, stream=0x630010) at outputscript.c:2083
#12 0x00000000004073e8 in readMovie (f=0x630010) at main.c:281
#13 0x0000000000407734 in main (argc=2, argv=0x7fffffffe448) at main.c:354
(gdb) b decompile.c:407
Breakpoint 1 at 0x408372: file decompile.c, line 407.
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/libming/util/swftophp segmentaion_fault_decompile_407
header indicates a filesize of 1484 but filesize is 128
<?php
$m = new SWFMovie(10);

ming_setscale(1.0);
$m->setRate(24.000000);
$m->setDimension(11672, 8000);
/*Unknown block type 69*/
 Stream out of sync after parse of blocktype 12 (SWF_DOACTION). 126 but expecting 113.

/* SWF_DOACTION */

Breakpoint 1, getName (act=0x0) at decompile.c:407
407		switch( act->Type ) 	
(gdb) p act
$1 = (struct SWF_ACTIONPUSHPARAM *) 0x0

to reproduce it ,run swftophp with segmentaion_fault_decompile_407

./swftophp segmentaion_fault_decompile_407

poc file https://github.com/JsHuang/libming-poc/blob/master/swftophp/segmentaion_fault_decompile_407

credit: ADLab of Venustech

segmentaion_fault_decompile_407.zip

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment