A null pointer dereference bug was found in function pushdup()(decompile.c:627)
Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106 ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt
#0 strlen () at ../sysdeps/x86_64/strlen.S:106
#1 0x0000000000408d10 in pushdup () at decompile.c:627
#2 0x000000000040aee1 in decompilePUSHDUP (act=0x69d300) at decompile.c:1424
#3 0x0000000000410d9f in decompileAction (n=12, actions=0x69cf40, maxn=52) at decompile.c:3248
#4 0x00000000004114dd in decompileActions (n=52, actions=0x69cf40, indent=4) at decompile.c:3494
#5 0x000000000040d60f in decompile_SWITCH (n=0, actions=0x69ce50, maxn=159, off1end=425) at decompile.c:2235
#6 0x000000000040e9a2 in decompileIF (n=40, actions=0x674150, maxn=94) at decompile.c:2594
#7 0x0000000000411052 in decompileAction (n=40, actions=0x674150, maxn=94) at decompile.c:3335
#8 0x00000000004114dd in decompileActions (n=94, actions=0x674150, indent=3) at decompile.c:3494
#9 0x000000000040d60f in decompile_SWITCH (n=0, actions=0x674060, maxn=398, off1end=275) at decompile.c:2235
#10 0x000000000040e9a2 in decompileIF (n=21, actions=0x65f5f0, maxn=117) at decompile.c:2594
#11 0x0000000000411052 in decompileAction (n=21, actions=0x65f5f0, maxn=117) at decompile.c:3335
#12 0x00000000004114dd in decompileActions (n=117, actions=0x65f5f0, indent=2) at decompile.c:3494
#13 0x000000000040d60f in decompile_SWITCH (n=0, actions=0x65f500, maxn=548, off1end=143) at decompile.c:2235
#14 0x000000000040e9a2 in decompileIF (n=11, actions=0x652970, maxn=130) at decompile.c:2594
#15 0x0000000000411052 in decompileAction (n=11, actions=0x652970, maxn=130) at decompile.c:3335
#16 0x00000000004114dd in decompileActions (n=130, actions=0x652970, indent=1) at decompile.c:3494
#17 0x000000000040d60f in decompile_SWITCH (n=0, actions=0x652880, maxn=142, off1end=697) at decompile.c:2235
#18 0x000000000040e9a2 in decompileIF (n=3, actions=0x63d410, maxn=4) at decompile.c:2594
#19 0x0000000000411052 in decompileAction (n=3, actions=0x63d410, maxn=4) at decompile.c:3335
#20 0x00000000004114dd in decompileActions (n=4, actions=0x63d410, indent=0) at decompile.c:3494
#21 0x00000000004115df in decompile5Action (n=4, actions=0x63d410, indent=0) at decompile.c:3517
#22 0x00000000004055e1 in outputSWF_DOACTION (pblock=0x631250) at outputscript.c:1551
#23 0x0000000000406907 in outputBlock (type=12, blockp=0x631250, stream=0x630010) at outputscript.c:2083
#24 0x000000000040737f in readMovie (f=0x630010) at main.c:281
#25 0x00000000004076cb in main (argc=2, argv=0x7fffffffe508) at main.c:354
(gdb) p Stack->val->p.String
$2 = (STRING) 0x0
622 // If element is a string, perform deep copy of Stack->val->p
623 if (Stack->val->Type == PUSH_STRING) {
624 t->val = calloc(1, sizeof(struct SWF_ACTIONPUSHPARAM));
625 *t->val = *Stack->val;
626
627 int len = strlen(Stack->val->p.String) + 1; // NULL terminated
628 t->val->p.String = calloc(len, sizeof(char));
to reproduce it ,run swftopython with segmentaion_fault_decompile_627
A null pointer dereference bug was found in function pushdup()(decompile.c:627)
to reproduce it ,run swftopython with segmentaion_fault_decompile_627
./swftopython segmentaion_fault_decompile_627poc file https://github.com/JsHuang/libming-poc/blob/master/swftopython/segmentaion_fault_decompile_627
credit: ADLab of Venustech
segmentaion_fault_decompile_627.zip
The text was updated successfully, but these errors were encountered: