Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

invalid memory read in outputSWF_TEXT_RECORD #77

Closed
bestshow opened this issue Jun 8, 2017 · 3 comments
Closed

invalid memory read in outputSWF_TEXT_RECORD #77

bestshow opened this issue Jun 8, 2017 · 3 comments

Comments

@bestshow
Copy link

bestshow commented Jun 8, 2017

On libming latest version, an invalid memory read was found in function outputSWF_TEXT_RECORD .

#swftocxx $FILE out
=================================================================
SEGV on unknown address 0x00000000000c (pc 0x00000052876c bp 0x000000000000 sp 0x7ffcaa1a7620 T0)
==15250==The signal is caused by a READ memory access.
==15250==Hint: address points to the zero page.
    #0 0x52876b in outputSWF_TEXT_RECORD /home/haojun/Downloads/libming-master/util/outputscript.c:1429:13
    #1 0x52941d in outputSWF_DEFINETEXT2 /home/haojun/Downloads/libming-master/util/outputscript.c:1493:6
    #2 0x531311 in readMovie /home/haojun/Downloads/libming-master/util/main.c:277:4
    #3 0x531311 in main /home/haojun/Downloads/libming-master/util/main.c:350
    #4 0x7f086c2f7b34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274
    #5 0x41ae7b in _start (/home/haojun/Downloads/libming-afl-build/bin/swftocxx+0x41ae7b)

SEGV /home/haojun/Downloads/libming-master/util/outputscript.c:1429:13 in outputSWF_TEXT_RECORD
==15250==ABORTING

testcase : https://github.com/bestshow/p0cs/blob/master/invalid-memory-read-in_outputSWF_TEXT_RECORD
Credit : ADLab of Venustech

@hlef
Copy link
Contributor

hlef commented Nov 18, 2017

fip and fip_current are static pointers to a linked list containing fonts information. This list and the two pointers are initialized and filled by saveFontInfo() (called by the outputSWF_DEFINEFONTxxxx() functions when defining new fonts).

In this case, saveFontInfo() isn't called at all (probably because the swf file doesn't define any font?).

Since fip and fip_current are static pointers they are initialized to NULL. So, when we try to access them at line 1429 (id = fi->fontcodeID), we perform a NULL pointer dereference.

A workaround would be to check for !fip_current, but I'm not sure about what should be done in this case. Report error and exit, or warning and continue ?

As far as I am aware, this issue wasn't assigned any CVE ID. I'll request one.

@hlef
Copy link
Contributor

hlef commented Nov 18, 2017

For the record, this issue was assigned identifier CVE-2017-16883.

@strk
Copy link
Member

strk commented Nov 20, 2017 via email

hlef added a commit to hlef/libming that referenced this issue Nov 20, 2017
fip and fip_current are static pointers to a linked list containing
fonts information. This list and the two pointers are initialized and
filled by saveFontInfo() (called by the outputSWF_DEFINEFONTxxxx()
functions when defining new fonts).

In the case where no font is defined, saveFontInfo() is never called
and the two list pointers are NULL.

This situation may trigger a NULL pointer dereference in
outputSWF_TEXT_RECORD. In this patch, we check for !fip_current
before dereferencing it. In the == NULL case, we print a warning and
continue.

This commit addresses CVE-2017-16883 (fixes libming#77).
@strk strk closed this as completed in f3a66c6 Nov 24, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants