Skip to content

heap buffer overflow in decompileIF #76

Closed
@bestshow

Description

@bestshow

On libming latest version, a heap buffer overflow was found in function decompileIF.

#swftocxx $FILE out
=================================================================
heap-buffer-overflow on address 0x6020000000a0 at pc 0x000000570171 bp 0x7fffe4c1cbe0 sp 0x7fffe4c1cbd8
READ of size 1 at 0x6020000000a0 thread T0
    #0 0x570170 in decompileIF /home/haojun/Downloads/libming-master/util/decompile.c:2369:79
    #1 0x5875eb in decompileActions /home/haojun/Downloads/libming-master/util/decompile.c:3401:6
    #2 0x5875eb in decompile5Action /home/haojun/Downloads/libming-master/util/decompile.c:3423
    #3 0x52a0c5 in outputSWF_DOACTION /home/haojun/Downloads/libming-master/util/outputscript.c:1548:29
    #4 0x531311 in readMovie /home/haojun/Downloads/libming-master/util/main.c:277:4
    #5 0x531311 in main /home/haojun/Downloads/libming-master/util/main.c:350
    #6 0x7f7029da9b34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274
    #7 0x41ae7b in _start (/home/haojun/Downloads/libming-afl-build/bin/swftocxx+0x41ae7b)

0x6020000000a0 is located 12 bytes to the right of 4-byte region [0x602000000090,0x602000000094)
allocated by thread T0 here:
    #0 0x4dfd76 in malloc /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
    #1 0x5d42e0 in readBytes /home/haojun/Downloads/libming-master/util/read.c:228:17
    #2 0x7f7029da9b34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274

heap-buffer-overflow /home/haojun/Downloads/libming-master/util/decompile.c:2369:79 in decompileIF
Shadow bytes around the buggy address:
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa 00 fa fa fa 02 fa fa fa 00 04 fa fa 01 fa
=>0x0c047fff8010: fa fa 04 fa[fa]fa 00 03 fa fa 07 fa fa fa 01 fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15153==ABORTING

testcase : https://github.com/bestshow/p0cs/blob/master/heap-buffer-overflow-in_decompileIF
Credit : ADLab of Venustech

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions