Skip to content

Memory leaks on parseSWF_FILLSTYLEARRAY #311

Open
@mirusu400

Description

@mirusu400

Envrionment

 ubuntu  ~/lab/libming/util   master  lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.2 LTS
Release:        22.04
Codename:       jammy

Compiler

 ubuntu  ~/lab/libming/util   master  clang -v
Ubuntu clang version 14.0.0-1ubuntu1.1
Target: x86_64-pc-linux-gnu
Thread model: posix

Step to reproduce

./autogen.sh
./configure --disable-shared
cd util
make swftophp
./swftophp <PoC file>

Affected Version

libming v0.4.8 (https://github.com/libming/libming/releases/tag/ming-0_4_8)

Contents of PoC file

poc.zip

Expected Behavior

Print error or warning messages handled within swftophp.

Current Behavior

  • stdout
<?php
$m = new SWFMovie(13);

ming_setscale(1.0);
$m->setRate(6.941406);
$m->setDimension(0, 0);
$m->setFrames(1542);

/* SWF_PROTECT */
$m->protect("�����j\n��jQQQ�\nj�������������������77777777777777777�����������j\n��jQQQ�\nj��������7777!�FWS\nj��\r\r�\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r�\r\r����������\r����������������QQQ�\r\r\r\r\r\r����j\t�������");

/* SWF_DEFINESHAPE3 */

/* Shape 27144 (TYPE=3, RECT=168,-350 64,333)*/
$character27144 = new SWFShape();
/*8 fillstyle(s)*/
/*3 linestyles(s)*/
$character27144_l0_width = 771;
$character27144_l0_red   = 0x12;
$character27144_l0_green = 0x03;
$character27144_l0_blue  = 0x03;
$character27144_l0_alpha = 0x03;
$character27144_l1_width = 771;
$character27144_l1_red   = 0x03;
$character27144_l1_green = 0x37;
$character27144_l1_blue  = 0x37;
$character27144_l1_alpha = 0x37;
$character27144_l2_width = 14135;
$character27144_l2_red   = 0x37;
$character27144_l2_green = 0x37;
$character27144_l2_blue  = 0x37;
$character27144_l2_alpha = 0x37;
/* StateLineStyle: 3 */
$character27144->setLine($character27144_l2_width, $character27144_l2_red, $character27144_l2_green, $character27144_l2_blue, $character27144_l2_alpha);
$character27144->setRightFill($character27144_f101058053);
$character27144->movePenTo(-9211021, 15132414);

/* SWF_DEFINESHAPE3 */

/* Shape 770 (TYPE=3, RECT=0,0 0,0)*/
$character770 = new SWFShape();
/*3 fillstyle(s)*/
/*3 linestyles(s)*/
$character770_l0_width = 786;
$character770_l0_red   = 0x03;
$character770_l0_green = 0x03;
$character770_l0_blue  = 0x03;
$character770_l0_alpha = 0x03;
$character770_l1_width = 14083;
$character770_l1_red   = 0x37;
$character770_l1_green = 0x37;
$character770_l1_blue  = 0x37;
$character770_l1_alpha = 0x37;
$character770_l2_width = 14135;
$character770_l2_red   = 0x37;
$character770_l2_green = 0x37;
$character770_l2_blue  = 0x37;
$character770_l2_alpha = 0x37;
/* StateLineStyle: 3 */
$character770->setLine($character770_l2_width, $character770_l2_red, $character770_l2_green, $character770_l2_blue, $character770_l2_alpha);
$character770->setRightFill($character770_f101058054);
$character770->movePenTo(-9211021, 16654528);

/* SWF_DOACTION */
    Action: 5   50:SWFACTION_MBCHR
    Offset: 32
    Action: 6   51:SWFACTION_MBCHR
    Offset: 33
    Action: 7   52:SWFACTION_MBCHR
    Offset: 34
    Action: 8   53:SWFACTION_MBCHR
    Offset: 35
    Action: 9   54:SWFACTION_MBCHR
    Offset: 36
    Action: 10   55:SWFACTION_MBCHR
    Offset: 37
    Action: 11   56:SWFACTION_MBCHR
    Offset: 38
    Action: 12   57:SWFACTION_MBCHR
    Offset: 39
    Action: 13   58:SWFACTION_MBCHR
    Offset: 3a
    Action: 14   59:SWFACTION_MBCHR
    Offset: 3b
    Action: 15   60:SWFACTION_MBCHR
    Offset: 3c
    Action: 16   61:SWFACTION_MBCHR
    Offset: 3d
    Action: 17   62:SWFACTION_MBCHR
    Offset: 3e
$m->add(new SWFAction("") );
/*Unknown block type 220*/
skipping 13 bytes

/* SWF_FONTREF */

/* SWF_DOACTION */


  • stderr
header indicates a filesize of 101208077 but filesize is 197
 Stream out of sync after parse of blocktype 24 (SWF_PROTECT). 187 but expecting 21.
 Stream out of sync after parse of blocktype 32 (SWF_DEFINESHAPE3). 74 but expecting 33.
 Stream out of sync after parse of blocktype 32 (SWF_DEFINESHAPE3). 78 but expecting 43.
Stack blown!! - pop
=================================================================
==18459==ERROR: LeakSanitizer: detected memory leaks

...

Direct leak of 36 byte(s) in 2 object(s) allocated from:
    #0 0x55a363c6928e in __interceptor_malloc (/home/ubuntu/lab/libming/util/swftophp+0xbb28e) (BuildId: 8551de914f0fa059359bb0c15882dbeddbbf77b6)
    #1 0x55a363d1e348 in parseSWF_LINESTYLEARRAY /home/ubuntu/lab/libming/util/parser.c:684:25
...

You can get full log here

Analysis

libming/util/parser.c

Lines 608 to 625 in 04aee52

void
parseSWF_FILLSTYLEARRAY (FILE * f, SWF_FILLSTYLEARRAY * fillstyle, int level)
{
int count, i;
fillstyle->FillStyleCount = readUInt8 (f);
count = fillstyle->FillStyleCount;
if (fillstyle->FillStyleCount == 0xff)
{
fillstyle->FillStyleCountExtended = readUInt16 (f);
count = fillstyle->FillStyleCountExtended;
}
fillstyle->FillStyles =
(SWF_FILLSTYLE *) calloc (count, sizeof (SWF_FILLSTYLE));
for (i = 0; i < count; i++)
{
parseSWF_FILLSTYLE (f, &(fillstyle->FillStyles[i]), level);
}
}

On parseSWF_FILLSTYLEARRAY, we allocate SWF_FILLSTYLE into heap memory and set member of fillstyle->FillStyles, but never been freed.

This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted SWF file.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions