Skip to content

Invalid memory read in stackVal() at decompile.c:1238 #268

Open
@fengzhengzhan

Description

@fengzhengzhan

Invalid memory read in the latest version of libming at function stackVal in util/decompile.c:1238.

Environment

Ubuntu 18.04, 64 bit
libming 0.4.8

Steps to reproduce

  1. download file
wget https://github.com/libming/libming/archive/refs/tags/ming-0_4_8.tar.gz
tar -zxvf ming-0_4_8.tar.gz
  1. compile libming with ASAN
cd libming-ming-0_4_8
./autogen.sh
export FORCE_UNSAFE_CONFIGURE=1
export LLVM_COMPILER=clang
CC=wllvm CXX=wllvm++ CFLAGS="-g -O0 -fcommon -Wno-error" ./configure --prefix=`pwd`/obj-bc --with-php-config=/usr/bin/php-config7.2 --enable-static --disable-shared
make
make install

cd obj-bc/bin/
extract-bc swftophp
clang -fsanitize=address -lz -lm swftophp.bc -o swftophp_asan
  1. command for reproducing the error
./swftophp_asan poc

Download poc: libming_0-4-8_swftophp_invalid-memory-read_decompile1238.zip

ASAN report

root@2413df779df0:~/compiler1804/libming-ming-0_4_8/obj-bc/bin# ./swftophp_asan libming_0-4-8_swftophp_invalid-memory-read_decompile1238.swf 
header indicates a filesize of 4278191411 but filesize is 166
<?php
$m = new SWFMovie();

ming_setscale(1.0);

/* Note: using v5+ syntax for script blocks (original SWF file version was 4)! */

$m->setRate(64.855469);
$m->setDimension(66, 327);

/* Note: xMin and/or yMin are not 0! */

$m->setFrames(7440);
 Stream out of sync after parse of blocktype 24 (SWF_PROTECT). 124 but expecting 58.

/* SWF_PROTECT */
$m->protect("\tJ�A�\n�=�b��h"�BAH���CU���!�����М{/��R���z��W:�6$QSՖ�;owf޼�0]x�\r�������\)���
                                                                                            ��Qp(#}�m�\_");
 Stream out of sync after parse of blocktype 9 (SWF_SETBACKGROUNDCOLOR). 63 but expecting 119.

/* SWF_SETBACKGROUNDCOLOR */
$m->setBackground(0x2f, 0xed, 0xd1);
 Stream out of sync after parse of blocktype 11 (SWF_DEFINETEXT). 165 but expecting 125.

/* SWF_DEFINETEXT */
$character24412 = new SWFText(1);
$character24412->setFont($f392);
$character24412->setHeight(30910);
$character24412->setColor(0x79, 0x9d, 0xb2);
$character24412->moveTo(0, -15327);
$character24412->addString("X");
Failed to find branch target!!!
Looking for: -28887

 Stream out of sync after parse of blocktype 12 (SWF_DOACTION). 138 but expecting 134.

/* SWF_DOACTION */
AddressSanitizer:DEADLYSIGNAL
=================================================================
==60499==ERROR: AddressSanitizer: SEGV on unknown address 0x601fffffffb0 (pc 0x000000502876 bp 0x7ffe6a2faa50 sp 0x7ffe6a2faa50 T0)
==60499==The signal is caused by a READ memory access.
    #0 0x502876 in stackVal /root/compiler1804/libming-ming-0_4_8/util/decompile.c:1238:41
    #1 0x4fe03d in decompileIF /root/compiler1804/libming-ming-0_4_8/util/decompile.c:2395:7
    #2 0x4facdc in decompileAction /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3242:10
    #3 0x501b27 in decompileActions /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3401:6
    #4 0x503b31 in decompile5Action /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3423:2
    #5 0x4f7865 in outputSWF_DOACTION /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:1548:29
    #6 0x4f72ac in outputBlock /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:2079:4
    #7 0x4f9d21 in readMovie /root/compiler1804/libming-ming-0_4_8/util/main.c:277:4
    #8 0x4f984d in main /root/compiler1804/libming-ming-0_4_8/util/main.c:350:2
    #9 0x7f6f2645dc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #10 0x41b8d9 in _start (/root/compiler1804/libming-ming-0_4_8/obj-bc/bin/swftophp_asan+0x41b8d9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/compiler1804/libming-ming-0_4_8/util/decompile.c:1238:41 in stackVal
==60499==ABORTING

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions