Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid memory read in stackVal() at decompile.c:1238 #268

Open
fengzhengzhan opened this issue Mar 21, 2023 · 0 comments
Open

Invalid memory read in stackVal() at decompile.c:1238 #268

fengzhengzhan opened this issue Mar 21, 2023 · 0 comments

Comments

@fengzhengzhan
Copy link

Invalid memory read in the latest version of libming at function stackVal in util/decompile.c:1238.

Environment

Ubuntu 18.04, 64 bit
libming 0.4.8

Steps to reproduce

  1. download file
wget https://github.com/libming/libming/archive/refs/tags/ming-0_4_8.tar.gz
tar -zxvf ming-0_4_8.tar.gz
  1. compile libming with ASAN
cd libming-ming-0_4_8
./autogen.sh
export FORCE_UNSAFE_CONFIGURE=1
export LLVM_COMPILER=clang
CC=wllvm CXX=wllvm++ CFLAGS="-g -O0 -fcommon -Wno-error" ./configure --prefix=`pwd`/obj-bc --with-php-config=/usr/bin/php-config7.2 --enable-static --disable-shared
make
make install

cd obj-bc/bin/
extract-bc swftophp
clang -fsanitize=address -lz -lm swftophp.bc -o swftophp_asan
  1. command for reproducing the error
./swftophp_asan poc

Download poc: libming_0-4-8_swftophp_invalid-memory-read_decompile1238.zip

ASAN report

root@2413df779df0:~/compiler1804/libming-ming-0_4_8/obj-bc/bin# ./swftophp_asan libming_0-4-8_swftophp_invalid-memory-read_decompile1238.swf 
header indicates a filesize of 4278191411 but filesize is 166
<?php
$m = new SWFMovie();

ming_setscale(1.0);

/* Note: using v5+ syntax for script blocks (original SWF file version was 4)! */

$m->setRate(64.855469);
$m->setDimension(66, 327);

/* Note: xMin and/or yMin are not 0! */

$m->setFrames(7440);
 Stream out of sync after parse of blocktype 24 (SWF_PROTECT). 124 but expecting 58.

/* SWF_PROTECT */
$m->protect("\tJ�A�\n�=�b��h"�BAH���CU���!�����М{/��R���z��W:�6$QSՖ�;owf޼�0]x�\r�������\)���
                                                                                            ��Qp(#}�m�\_");
 Stream out of sync after parse of blocktype 9 (SWF_SETBACKGROUNDCOLOR). 63 but expecting 119.

/* SWF_SETBACKGROUNDCOLOR */
$m->setBackground(0x2f, 0xed, 0xd1);
 Stream out of sync after parse of blocktype 11 (SWF_DEFINETEXT). 165 but expecting 125.

/* SWF_DEFINETEXT */
$character24412 = new SWFText(1);
$character24412->setFont($f392);
$character24412->setHeight(30910);
$character24412->setColor(0x79, 0x9d, 0xb2);
$character24412->moveTo(0, -15327);
$character24412->addString("X");
Failed to find branch target!!!
Looking for: -28887

 Stream out of sync after parse of blocktype 12 (SWF_DOACTION). 138 but expecting 134.

/* SWF_DOACTION */
AddressSanitizer:DEADLYSIGNAL
=================================================================
==60499==ERROR: AddressSanitizer: SEGV on unknown address 0x601fffffffb0 (pc 0x000000502876 bp 0x7ffe6a2faa50 sp 0x7ffe6a2faa50 T0)
==60499==The signal is caused by a READ memory access.
    #0 0x502876 in stackVal /root/compiler1804/libming-ming-0_4_8/util/decompile.c:1238:41
    #1 0x4fe03d in decompileIF /root/compiler1804/libming-ming-0_4_8/util/decompile.c:2395:7
    #2 0x4facdc in decompileAction /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3242:10
    #3 0x501b27 in decompileActions /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3401:6
    #4 0x503b31 in decompile5Action /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3423:2
    #5 0x4f7865 in outputSWF_DOACTION /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:1548:29
    #6 0x4f72ac in outputBlock /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:2079:4
    #7 0x4f9d21 in readMovie /root/compiler1804/libming-ming-0_4_8/util/main.c:277:4
    #8 0x4f984d in main /root/compiler1804/libming-ming-0_4_8/util/main.c:350:2
    #9 0x7f6f2645dc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #10 0x41b8d9 in _start (/root/compiler1804/libming-ming-0_4_8/obj-bc/bin/swftophp_asan+0x41b8d9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/compiler1804/libming-ming-0_4_8/util/decompile.c:1238:41 in stackVal
==60499==ABORTING
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant