Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Null pointer dereference in newVar5 (decompile.c:583) #187

Open
bjchan9an opened this issue Nov 26, 2019 · 0 comments
Open

Null pointer dereference in newVar5 (decompile.c:583) #187

bjchan9an opened this issue Nov 26, 2019 · 0 comments

Comments

@bjchan9an
Copy link

bjchan9an commented Nov 26, 2019
edited

In decomile.c:583, newVar5():

v->p.String = malloc(strlen(var)+strlen(var2)+strlen(var3)+strlen(var4)+strlen(var5)+1);

More specifically, decompileGETPROPERTY() passed a heap address with content 0 to getName(), and getName() just return 0. However, decompileGETPROPERTY() didn't check the return value of getName() and directly passed it to newVar5(). So a null pointer is passed to newVar5(), then passed to strlen(), whose return value is a parameter of malloc()

This should be caused by the improper way of patching 8dd118e. getName() returns null to handle errors. But the return value was not checked properly where it was called, resulting in another null pointer reference.

Asan info:

header indicates a filesize of 35129653 but filesize is 65
<?php
$m = new SWFMovie(8);

ming_setscale(1.0);
$m->setRate(237.925781);
$m->setDimension(0, 1);

/* Note: xMin and/or yMin are not 0! */

$m->setFrames(3);
 Stream out of sync after parse of blocktype 28 (SWF_REMOVEOBJECT2). 18 but expecting 32.

/* SWF_REMOVEOBJECT2 */
$m->remove($i771);
/*Unknown block type 433*/

/* SWF_DOACTION */
  Can't get int for type: 10
ASAN:DEADLYSIGNAL
=================================================================
==23020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fab7cd575a1 bp 0x7ffcc4f02840 sp 0x7ffcc4f01fb8 T0)
==23020==The signal is caused by a READ memory access.
==23020==Hint: address points to the zero page.
    #0 0x7fab7cd575a0  (/lib/x86_64-linux-gnu/libc.so.6+0x18e5a0)
    #1 0x7fab7d5c657b  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5157b)
    #2 0x55fcf8c58f67 in newVar5 ../../util/decompile.c:583
    #3 0x55fcf8c5c6ef in decompileGETPROPERTY ../../util/decompile.c:1477
    #4 0x55fcf8c5c6ef in decompileAction ../../util/decompile.c:3260
    #5 0x55fcf8c60ff5 in decompileActions ../../util/decompile.c:3494
    #6 0x55fcf8c63048 in decompile5Action ../../util/decompile.c:3517
    #7 0x55fcf8c5138e in outputSWF_DOACTION ../../util/outputscript.c:1551
    #8 0x55fcf8c555cf in outputBlock ../../util/outputscript.c:2083
    #9 0x55fcf8c568db in readMovie ../../util/main.c:281
    #10 0x55fcf8c568db in main ../../util/main.c:354
    #11 0x7fab7cbeab96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #12 0x55fcf8c4b9a9 in _start (/libming/build/util/swftophp+0x139a9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x18e5a0) 
==23020==ABORTING

POC: libming_decompile583poc.zip
usage: ./swftophp libming_decompile583poc

Found by bjchan9an@gmail.com
@bjchan9an bjchan9an changed the title SEGV in newVar5 (decompile.c:583) Null pointer dereference in newVar5 (decompile.c:583) Nov 26, 2019
@bjchan9an bjchan9an mentioned this issue Nov 27, 2019
Open
@cxlzff cxlzff mentioned this issue Jun 26, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bjchan9an