Open
Description
Envrionment
ubuntu ~/lab/libming/util master lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.2 LTS
Release: 22.04
Codename: jammyCompiler
ubuntu ~/lab/libming/util master clang -v
Ubuntu clang version 14.0.0-1ubuntu1.1
Target: x86_64-pc-linux-gnu
Thread model: posixStep to reproduce
./autogen.sh
./configure --disable-shared
cd util
make swftophp
./swftophp <PoC file>Affected Version
libming v0.4.8 (https://github.com/libming/libming/releases/tag/ming-0_4_8)
Contents of PoC file
Expected Behavior
Print error or warning messages handled within swftophp.
Current Behavior
- stdout
<?php
$m = new SWFMovie(13);
ming_setscale(1.0);
$m->setRate(6.941406);
$m->setDimension(0, 0);
$m->setFrames(1542);
/* SWF_PROTECT */
$m->protect("�����j\n��jQQQ�\nj�������������������77777777777777777�����������j\n��jQQQ�\nj��������7777!�FWS\nj��\r\r�\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r�\r\r����������\r����������������QQQ�\r\r\r\r\r\r����j\t�������");
/* SWF_DEFINESHAPE3 */
/* Shape 27144 (TYPE=3, RECT=168,-350 64,333)*/
$character27144 = new SWFShape();
/*8 fillstyle(s)*/
/*3 linestyles(s)*/
$character27144_l0_width = 771;
$character27144_l0_red = 0x12;
$character27144_l0_green = 0x03;
$character27144_l0_blue = 0x03;
$character27144_l0_alpha = 0x03;
$character27144_l1_width = 771;
$character27144_l1_red = 0x03;
$character27144_l1_green = 0x37;
$character27144_l1_blue = 0x37;
$character27144_l1_alpha = 0x37;
$character27144_l2_width = 14135;
$character27144_l2_red = 0x37;
$character27144_l2_green = 0x37;
$character27144_l2_blue = 0x37;
$character27144_l2_alpha = 0x37;
/* StateLineStyle: 3 */
$character27144->setLine($character27144_l2_width, $character27144_l2_red, $character27144_l2_green, $character27144_l2_blue, $character27144_l2_alpha);
$character27144->setRightFill($character27144_f101058053);
$character27144->movePenTo(-9211021, 15132414);
/* SWF_DEFINESHAPE3 */
/* Shape 770 (TYPE=3, RECT=0,0 0,0)*/
$character770 = new SWFShape();
/*3 fillstyle(s)*/
/*3 linestyles(s)*/
$character770_l0_width = 786;
$character770_l0_red = 0x03;
$character770_l0_green = 0x03;
$character770_l0_blue = 0x03;
$character770_l0_alpha = 0x03;
$character770_l1_width = 14083;
$character770_l1_red = 0x37;
$character770_l1_green = 0x37;
$character770_l1_blue = 0x37;
$character770_l1_alpha = 0x37;
$character770_l2_width = 14135;
$character770_l2_red = 0x37;
$character770_l2_green = 0x37;
$character770_l2_blue = 0x37;
$character770_l2_alpha = 0x37;
/* StateLineStyle: 3 */
$character770->setLine($character770_l2_width, $character770_l2_red, $character770_l2_green, $character770_l2_blue, $character770_l2_alpha);
$character770->setRightFill($character770_f101058054);
$character770->movePenTo(-9211021, 16654528);
/* SWF_DOACTION */
Action: 5 50:SWFACTION_MBCHR
Offset: 32
Action: 6 51:SWFACTION_MBCHR
Offset: 33
Action: 7 52:SWFACTION_MBCHR
Offset: 34
Action: 8 53:SWFACTION_MBCHR
Offset: 35
Action: 9 54:SWFACTION_MBCHR
Offset: 36
Action: 10 55:SWFACTION_MBCHR
Offset: 37
Action: 11 56:SWFACTION_MBCHR
Offset: 38
Action: 12 57:SWFACTION_MBCHR
Offset: 39
Action: 13 58:SWFACTION_MBCHR
Offset: 3a
Action: 14 59:SWFACTION_MBCHR
Offset: 3b
Action: 15 60:SWFACTION_MBCHR
Offset: 3c
Action: 16 61:SWFACTION_MBCHR
Offset: 3d
Action: 17 62:SWFACTION_MBCHR
Offset: 3e
$m->add(new SWFAction("") );
/*Unknown block type 220*/
skipping 13 bytes
/* SWF_FONTREF */
/* SWF_DOACTION */
- stderr
header indicates a filesize of 101208077 but filesize is 197
Stream out of sync after parse of blocktype 24 (SWF_PROTECT). 187 but expecting 21.
Stream out of sync after parse of blocktype 32 (SWF_DEFINESHAPE3). 74 but expecting 33.
Stream out of sync after parse of blocktype 32 (SWF_DEFINESHAPE3). 78 but expecting 43.
Stack blown!! - pop
=================================================================
==18459==ERROR: LeakSanitizer: detected memory leaks
...
Direct leak of 36 byte(s) in 2 object(s) allocated from:
#0 0x55a363c6928e in __interceptor_malloc (/home/ubuntu/lab/libming/util/swftophp+0xbb28e) (BuildId: 8551de914f0fa059359bb0c15882dbeddbbf77b6)
#1 0x55a363d1e348 in parseSWF_LINESTYLEARRAY /home/ubuntu/lab/libming/util/parser.c:684:25
...
You can get full log here
Analysis
Lines 608 to 625 in 04aee52
On parseSWF_FILLSTYLEARRAY, we allocate SWF_FILLSTYLE into heap memory and set member of fillstyle->FillStyles, but never been freed.
This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted SWF file.
Metadata
Metadata
Assignees
Labels
No labels