New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap-buffer-overflow problem in decompileJUMP function in util/decompile.c of libming v0.4.8 #168

Open
wcventure opened this Issue Dec 20, 2018 · 0 comments

Comments

Projects
None yet
1 participant
@wcventure
Copy link

wcventure commented Dec 20, 2018

Hi, there.

A Heap-buffer-overflow problem was discovered in decompileJUMP function in util/decompile.c of libming v0.4.8. This problem can be reproduced in the latest code base, too. A crafted input can cause segment faults and I have confirmed them with address sanitizer too.

Here is the POC file. Please use the "./swftocxx $POC /dev/null" to reproduce the bug.
POC.zip

The ASAN dumps the stack trace as follows:

=================================================================
==25654==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000020 at pc 0x00000053f463 bp 0x7fff09669d80 sp 0x7fff09669d78
READ of size 1 at 0x602000000020 thread T0
    #0 0x53f462 in decompileJUMP /libming/util/decompile.c:1932:64
    #1 0x536ae3 in decompileAction /libming/util/decompile.c:3325:10
    #2 0x551198 in decompileActions /libming/util/decompile.c:3494:6
    #3 0x548ca8 in decompileDEFINEFUNCTION /libming/util/decompile.c:2834:3
    #4 0x536dcf in decompileAction /libming/util/decompile.c:3354:10
    #5 0x551198 in decompileActions /libming/util/decompile.c:3494:6
    #6 0x550e42 in decompile5Action /libming/util/decompile.c:3517:2
    #7 0x5282f3 in outputSWF_DOACTION /libming/util/outputscript.c:1552:29
    #8 0x52502b in outputBlock /libming/util/outputscript.c:2083:4
    #9 0x5320a3 in readMovie /libming/util/main.c:281:4
    #10 0x5302a0 in main /libming/util/main.c:354:2
    #11 0x7fb78605482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x41aa08 in _start (/libming/bulid/bin/swftocxx+0x41aa08)

0x602000000020 is located 8 bytes to the right of 8-byte region [0x602000000010,0x602000000018)
allocated by thread T0 here:
    #0 0x4dadb0 in realloc /home/wencheng/CLib/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:107
    #1 0x52d212 in add_var /libming/util/outputscript.c:216:26
    #2 0x5143f8 in search_var /libming/util/outputscript.c:226:5
    #3 0x51401f in newobj /libming/util/outputscript.c:296:10
    #4 0x52c3f5 in outputHeader /libming/util/outputscript.c:2010:27
    #5 0x531704 in readMovieHeader /libming/util/main.c:231:2
    #6 0x52ff8d in main /libming/util/main.c:350:5
    #7 0x7fb78605482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /libming/util/decompile.c:1932:64 in decompileJUMP
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 00 fa[fa]fa 02 fa fa fa 00 00 fa fa 01 fa
  0x0c047fff8010: fa fa fd fd fa fa fd fa fa fa fd fa fa fa 05 fa
  0x0c047fff8020: fa fa 05 fa fa fa 05 fa fa fa 05 fa fa fa 05 fa
  0x0c047fff8030: fa fa 05 fa fa fa 05 fa fa fa 05 fa fa fa 05 fa
  0x0c047fff8040: fa fa 05 fa fa fa 05 fa fa fa 05 fa fa fa 05 fa
  0x0c047fff8050: fa fa 05 fa fa fa 05 fa fa fa 05 fa fa fa 05 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==25654==ABORTING
Aborted
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment