You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, I found a null pointer dereference in function decompileINCR_DECR at util/decompile.c:1597 on the latest master (5009802).
The details are as follows:
`==17334==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x0000004161cf bp 0x7fff4e703770 sp 0x7fff4e703730 T0)
#0 0x4161ce in decompileINCR_DECR /home/zyn/Lollycode/tested/libming0.4.8/poc-libming-master/util/decompile.c:1597 #1 0x41ee50 in decompileAction /home/zyn/Lollycode/tested/libming0.4.8/poc-libming-master/util/decompile.c:3315 #2 0x41f37d in decompileActions /home/zyn/Lollycode/tested/libming0.4.8/poc-libming-master/util/decompile.c:3494 #3 0x41f4b3 in decompile5Action /home/zyn/Lollycode/tested/libming0.4.8/poc-libming-master/util/decompile.c:3517 #4 0x40bb42 in outputSWF_DOACTION /home/zyn/Lollycode/tested/libming0.4.8/poc-libming-master/util/outputscript.c:1551 #5 0x40e171 in outputBlock /home/zyn/Lollycode/tested/libming0.4.8/poc-libming-master/util/outputscript.c:2083 #6 0x40f1c7 in readMovie /home/zyn/Lollycode/tested/libming0.4.8/poc-libming-master/util/main.c:281 #7 0x40f8fc in main /home/zyn/Lollycode/tested/libming0.4.8/poc-libming-master/util/main.c:354 #8 0x7fb88a77182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #9 0x401998 in _start (/home/zyn/Lollycode/tested/libming0.4.8/poc-libming-master/util/swftocxx+0x401998)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/zyn/Lollycode/tested/libming0.4.8/poc-libming-master/util/decompile.c:1597 decompileINCR_DECR
==17334==ABORTING
`
I debugged and got the following details at util/decompile.c:1597:
`(gdb) p regs
$3 = {0x0, 0x60300000ed70, 0x60300000ed40, 0x60300000ed10, 0x60300000ece0, 0x0 <repeats
251 times>}
(gdb) p actions[n+1].SWF_ACTIONSTOREREGISTER.Register
$4 = 0 '\000'
(gdb) p regs[actions[n+1].SWF_ACTIONSTOREREGISTER.Register]
$5 = (struct SWF_ACTIONPUSHPARAM *) 0x0
(gdb) p regs[actions[n+1].SWF_ACTIONSTOREREGISTER.Register]->Type
Cannot access memory at address 0x10
(gdb) s
Program received signal SIGSEGV, Segmentation fault.
0x00000000004161cf in decompileINCR_DECR (n=9, actions=0x61e00000f080, maxn=30, is_incr
=0) at decompile.c:1597
`
Because regs[actions[n+1].SWF_ACTIONSTOREREGISTER.Register] is null, there exists a null pointer dereference when accessing regs[actions[n+1].SWF_ACTIONSTOREREGISTER.Register]->Type.
Hi, I found a null pointer dereference in function decompileINCR_DECR at util/decompile.c:1597 on the latest master (5009802).
The details are as follows:
`==17334==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x0000004161cf bp 0x7fff4e703770 sp 0x7fff4e703730 T0)
#0 0x4161ce in decompileINCR_DECR /home/zyn/Lollycode/tested/libming0.4.8/poc-libming-master/util/decompile.c:1597
#1 0x41ee50 in decompileAction /home/zyn/Lollycode/tested/libming0.4.8/poc-libming-master/util/decompile.c:3315
#2 0x41f37d in decompileActions /home/zyn/Lollycode/tested/libming0.4.8/poc-libming-master/util/decompile.c:3494
#3 0x41f4b3 in decompile5Action /home/zyn/Lollycode/tested/libming0.4.8/poc-libming-master/util/decompile.c:3517
#4 0x40bb42 in outputSWF_DOACTION /home/zyn/Lollycode/tested/libming0.4.8/poc-libming-master/util/outputscript.c:1551
#5 0x40e171 in outputBlock /home/zyn/Lollycode/tested/libming0.4.8/poc-libming-master/util/outputscript.c:2083
#6 0x40f1c7 in readMovie /home/zyn/Lollycode/tested/libming0.4.8/poc-libming-master/util/main.c:281
#7 0x40f8fc in main /home/zyn/Lollycode/tested/libming0.4.8/poc-libming-master/util/main.c:354
#8 0x7fb88a77182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#9 0x401998 in _start (/home/zyn/Lollycode/tested/libming0.4.8/poc-libming-master/util/swftocxx+0x401998)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/zyn/Lollycode/tested/libming0.4.8/poc-libming-master/util/decompile.c:1597 decompileINCR_DECR
==17334==ABORTING
`
I debugged and got the following details at util/decompile.c:1597:
`(gdb) p regs
$3 = {0x0, 0x60300000ed70, 0x60300000ed40, 0x60300000ed10, 0x60300000ece0, 0x0 <repeats
251 times>}
(gdb) p actions[n+1].SWF_ACTIONSTOREREGISTER.Register
$4 = 0 '\000'
(gdb) p regs[actions[n+1].SWF_ACTIONSTOREREGISTER.Register]
$5 = (struct SWF_ACTIONPUSHPARAM *) 0x0
(gdb) p regs[actions[n+1].SWF_ACTIONSTOREREGISTER.Register]->Type
Cannot access memory at address 0x10
(gdb) s
Program received signal SIGSEGV, Segmentation fault.
0x00000000004161cf in decompileINCR_DECR (n=9, actions=0x61e00000f080, maxn=30, is_incr
=0) at decompile.c:1597
`
Because regs[actions[n+1].SWF_ACTIONSTOREREGISTER.Register] is null, there exists a null pointer dereference when accessing regs[actions[n+1].SWF_ACTIONSTOREREGISTER.Register]->Type.
POC file:
poc-1597.zip
The text was updated successfully, but these errors were encountered: