A Heap-buffer-overflow problem was discovered in decompileJUMP function in util/decompile.c of libming v0.4.8. This problem can be reproduced in the latest code base, too. A crafted input can cause segment faults and I have confirmed them with address sanitizer too.
Here is the POC file. Please use the "./swftocxx $POC /dev/null" to reproduce the bug. POC.zip
The ASAN dumps the stack trace as follows:
=================================================================
==25654==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000020 at pc 0x00000053f463 bp 0x7fff09669d80 sp 0x7fff09669d78
READ of size 1 at 0x602000000020 thread T0
#0 0x53f462 in decompileJUMP /libming/util/decompile.c:1932:64
#1 0x536ae3 in decompileAction /libming/util/decompile.c:3325:10
#2 0x551198 in decompileActions /libming/util/decompile.c:3494:6
#3 0x548ca8 in decompileDEFINEFUNCTION /libming/util/decompile.c:2834:3
#4 0x536dcf in decompileAction /libming/util/decompile.c:3354:10
#5 0x551198 in decompileActions /libming/util/decompile.c:3494:6
#6 0x550e42 in decompile5Action /libming/util/decompile.c:3517:2
#7 0x5282f3 in outputSWF_DOACTION /libming/util/outputscript.c:1552:29
#8 0x52502b in outputBlock /libming/util/outputscript.c:2083:4
#9 0x5320a3 in readMovie /libming/util/main.c:281:4
#10 0x5302a0 in main /libming/util/main.c:354:2
#11 0x7fb78605482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#12 0x41aa08 in _start (/libming/bulid/bin/swftocxx+0x41aa08)
0x602000000020 is located 8 bytes to the right of 8-byte region [0x602000000010,0x602000000018)
allocated by thread T0 here:
#0 0x4dadb0 in realloc /home/wencheng/CLib/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:107
#1 0x52d212 in add_var /libming/util/outputscript.c:216:26
#2 0x5143f8 in search_var /libming/util/outputscript.c:226:5
#3 0x51401f in newobj /libming/util/outputscript.c:296:10
#4 0x52c3f5 in outputHeader /libming/util/outputscript.c:2010:27
#5 0x531704 in readMovieHeader /libming/util/main.c:231:2
#6 0x52ff8d in main /libming/util/main.c:350:5
#7 0x7fb78605482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /libming/util/decompile.c:1932:64 in decompileJUMP
Shadow bytes around the buggy address:
0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 00 fa[fa]fa 02 fa fa fa 00 00 fa fa 01 fa
0x0c047fff8010: fa fa fd fd fa fa fd fa fa fa fd fa fa fa 05 fa
0x0c047fff8020: fa fa 05 fa fa fa 05 fa fa fa 05 fa fa fa 05 fa
0x0c047fff8030: fa fa 05 fa fa fa 05 fa fa fa 05 fa fa fa 05 fa
0x0c047fff8040: fa fa 05 fa fa fa 05 fa fa fa 05 fa fa fa 05 fa
0x0c047fff8050: fa fa 05 fa fa fa 05 fa fa fa 05 fa fa fa 05 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==25654==ABORTING
Aborted
The text was updated successfully, but these errors were encountered:
Hi, there.
A Heap-buffer-overflow problem was discovered in decompileJUMP function in util/decompile.c of libming v0.4.8. This problem can be reproduced in the latest code base, too. A crafted input can cause segment faults and I have confirmed them with address sanitizer too.
Here is the POC file. Please use the "./swftocxx $POC /dev/null" to reproduce the bug.
POC.zip
The ASAN dumps the stack trace as follows:
The text was updated successfully, but these errors were encountered: