Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Heap overflows in parser.c #68
The following bugs were found with AFLGo, a directed version of the fuzzer AFL / AFLFast. Thanks also to Van-Thuan Pham.
This issues are related to #58. The Libming utility listswf crashes due to a heap-based buffer overflow in the function parseSWF_RGBA and several other functions in parser.c. AddressSanitizer flags them as invalid writes "of size 1" but the heap can be actually be written to multiple times (e.g., in each line of parser.c:58-71). The overflows are caused by a pointer behind the bounds of a statically allocated array of structs of type SWF_GRADIENTRECORD.
Sample crash-inducing input: libming1.swf.zip
The bugs are fixed by the following patch (preventing the pointer behind the array bounds):