An Out Of Bound Write bug was found in function strcpyext() in decompile.c .
Details with asan output is as below:
==30836==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000ee18 at pc 0x000000410767 bp 0x7fff7361f360 sp 0x7fff7361f350
WRITE of size 1 at 0x60300000ee18 thread T0
#0 0x410766 in strcpyext /src/libming-afl/util/decompile.c:259
#1 0x41164a in getName /src/libming-afl/util/decompile.c:418
#2 0x41705f in decompileGETVARIABLE /src/libming-afl/util/decompile.c:1816
#3 0x41edd2 in decompileAction /src/libming-afl/util/decompile.c:3299
#4 0x41f37d in decompileActions /src/libming-afl/util/decompile.c:3494
#5 0x41e83c in decompileSETTARGET /src/libming-afl/util/decompile.c:3169
#6 0x41f292 in decompileAction /src/libming-afl/util/decompile.c:3462
#7 0x41f37d in decompileActions /src/libming-afl/util/decompile.c:3494
#8 0x41f4b3 in decompile5Action /src/libming-afl/util/decompile.c:3517
#9 0x40bb42 in outputSWF_DOACTION /src/libming-afl/util/outputscript.c:1551
#10 0x40e171 in outputBlock /src/libming-afl/util/outputscript.c:2083
#11 0x40f1c7 in readMovie /src/libming-afl/util/main.c:281
#12 0x40f8fc in main /src/libming-afl/util/main.c:354
#13 0x7f0d4149882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#14 0x401998 in _start (/src/fuzz/swftocxx+0x401998)
0x60300000ee18 is located 0 bytes to the right of 24-byte region [0x60300000ee00,0x60300000ee18)
allocated by thread T0 here:
#0 0x7f0d41dfd602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x41162f in getName /src/libming-afl/util/decompile.c:417
#2 0x41705f in decompileGETVARIABLE /src/libming-afl/util/decompile.c:1816
#3 0x41edd2 in decompileAction /src/libming-afl/util/decompile.c:3299
#4 0x41f37d in decompileActions /src/libming-afl/util/decompile.c:3494
#5 0x41e83c in decompileSETTARGET /src/libming-afl/util/decompile.c:3169
#6 0x41f292 in decompileAction /src/libming-afl/util/decompile.c:3462
#7 0x41f37d in decompileActions /src/libming-afl/util/decompile.c:3494
#8 0x41f4b3 in decompile5Action /src/libming-afl/util/decompile.c:3517
#9 0x40bb42 in outputSWF_DOACTION /src/libming-afl/util/outputscript.c:1551
#10 0x40e171 in outputBlock /src/libming-afl/util/outputscript.c:2083
#11 0x40f1c7 in readMovie /src/libming-afl/util/main.c:281
#12 0x40f8fc in main /src/libming-afl/util/main.c:354
#13 0x7f0d4149882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/libming-afl/util/decompile.c:259 strcpyext
Shadow bytes around the buggy address:
0x0c067fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fff9dc0: 00 00 00[fa]fa fa fd fd fd fd fa fa fd fd fd fa
0x0c067fff9dd0: fa fa 00 00 00 fa fa fa fd fd fd fa fa fa fd fd
0x0c067fff9de0: fd fa fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x0c067fff9df0: 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd
0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==30836==ABORTING
An Out Of Bound Write bug was found in function strcpyext() in decompile.c .
Details with asan output is as below:
poc file https://github.com/JsHuang/libming-poc/blob/master/swftocxx/oob_write_decompile_259
to reproduce it ,run swftocxx with oob_write_decompile_259
./swftocxx oob_write_decompile_259credit: ADLab of Venustech
The text was updated successfully, but these errors were encountered: