You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
More specifically, decompileGETPROPERTY() passed a heap address with content 0 to getName(), and getName() just return 0. However, decompileGETPROPERTY() didn't check the return value of getName() and directly passed it to newVar5(). So a null pointer is passed to newVar5(), then passed to strlen(), whose return value is a parameter of malloc()
This should be caused by the improper way of patching 8dd118e. getName() returns null to handle errors. But the return value was not checked properly where it was called, resulting in another null pointer reference.
Asan info:
header indicates a filesize of 35129653 but filesize is 65
<?php
$m = new SWFMovie(8);
ming_setscale(1.0);
$m->setRate(237.925781);
$m->setDimension(0, 1);
/* Note: xMin and/or yMin are not 0! */
$m->setFrames(3);
Stream out of sync after parse of blocktype 28 (SWF_REMOVEOBJECT2). 18 but expecting 32.
/* SWF_REMOVEOBJECT2 */
$m->remove($i771);
/*Unknown block type 433*/
/* SWF_DOACTION */
Can't get int for type: 10
ASAN:DEADLYSIGNAL
=================================================================
==23020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fab7cd575a1 bp 0x7ffcc4f02840 sp 0x7ffcc4f01fb8 T0)
==23020==The signal is caused by a READ memory access.
==23020==Hint: address points to the zero page.
#0 0x7fab7cd575a0 (/lib/x86_64-linux-gnu/libc.so.6+0x18e5a0)
#1 0x7fab7d5c657b (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5157b)
#2 0x55fcf8c58f67 in newVar5 ../../util/decompile.c:583
#3 0x55fcf8c5c6ef in decompileGETPROPERTY ../../util/decompile.c:1477
#4 0x55fcf8c5c6ef in decompileAction ../../util/decompile.c:3260
#5 0x55fcf8c60ff5 in decompileActions ../../util/decompile.c:3494
#6 0x55fcf8c63048 in decompile5Action ../../util/decompile.c:3517
#7 0x55fcf8c5138e in outputSWF_DOACTION ../../util/outputscript.c:1551
#8 0x55fcf8c555cf in outputBlock ../../util/outputscript.c:2083
#9 0x55fcf8c568db in readMovie ../../util/main.c:281
#10 0x55fcf8c568db in main ../../util/main.c:354
#11 0x7fab7cbeab96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#12 0x55fcf8c4b9a9 in _start (/libming/build/util/swftophp+0x139a9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x18e5a0)
==23020==ABORTING
In decomile.c:583, newVar5():
More specifically,
decompileGETPROPERTY()
passed a heap address with content 0 togetName()
, andgetName()
just return 0. However,decompileGETPROPERTY()
didn't check the return value ofgetName()
and directly passed it tonewVar5()
. So a null pointer is passed tonewVar5()
, then passed tostrlen()
, whose return value is a parameter ofmalloc()
This should be caused by the improper way of patching 8dd118e.
getName()
returns null to handle errors. But the return value was not checked properly where it was called, resulting in another null pointer reference.Asan info:
POC: libming_decompile583poc.zip
usage:
./swftophp libming_decompile583poc
Found by bjchan9an@gmail.com
The text was updated successfully, but these errors were encountered: