Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

invalid memory read in outputSWF_TEXT_RECORD #77

Closed
bestshow opened this issue Jun 8, 2017 · 3 comments

Comments

Projects
None yet
3 participants
@bestshow
Copy link

commented Jun 8, 2017

On libming latest version, an invalid memory read was found in function outputSWF_TEXT_RECORD .

#swftocxx $FILE out
=================================================================
SEGV on unknown address 0x00000000000c (pc 0x00000052876c bp 0x000000000000 sp 0x7ffcaa1a7620 T0)
==15250==The signal is caused by a READ memory access.
==15250==Hint: address points to the zero page.
    #0 0x52876b in outputSWF_TEXT_RECORD /home/haojun/Downloads/libming-master/util/outputscript.c:1429:13
    #1 0x52941d in outputSWF_DEFINETEXT2 /home/haojun/Downloads/libming-master/util/outputscript.c:1493:6
    #2 0x531311 in readMovie /home/haojun/Downloads/libming-master/util/main.c:277:4
    #3 0x531311 in main /home/haojun/Downloads/libming-master/util/main.c:350
    #4 0x7f086c2f7b34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274
    #5 0x41ae7b in _start (/home/haojun/Downloads/libming-afl-build/bin/swftocxx+0x41ae7b)

SEGV /home/haojun/Downloads/libming-master/util/outputscript.c:1429:13 in outputSWF_TEXT_RECORD
==15250==ABORTING

testcase : https://github.com/bestshow/p0cs/blob/master/invalid-memory-read-in_outputSWF_TEXT_RECORD
Credit : ADLab of Venustech

@hlef

This comment has been minimized.

Copy link
Contributor

commented Nov 18, 2017

fip and fip_current are static pointers to a linked list containing fonts information. This list and the two pointers are initialized and filled by saveFontInfo() (called by the outputSWF_DEFINEFONTxxxx() functions when defining new fonts).

In this case, saveFontInfo() isn't called at all (probably because the swf file doesn't define any font?).

Since fip and fip_current are static pointers they are initialized to NULL. So, when we try to access them at line 1429 (id = fi->fontcodeID), we perform a NULL pointer dereference.

A workaround would be to check for !fip_current, but I'm not sure about what should be done in this case. Report error and exit, or warning and continue ?

As far as I am aware, this issue wasn't assigned any CVE ID. I'll request one.

@hlef

This comment has been minimized.

Copy link
Contributor

commented Nov 18, 2017

For the record, this issue was assigned identifier CVE-2017-16883.

@strk

This comment has been minimized.

Copy link
Member

commented Nov 20, 2017

hlef added a commit to hlef/libming that referenced this issue Nov 20, 2017

Fix NULL pointer deref in outputSWF_TEXT_RECORD
fip and fip_current are static pointers to a linked list containing
fonts information. This list and the two pointers are initialized and
filled by saveFontInfo() (called by the outputSWF_DEFINEFONTxxxx()
functions when defining new fonts).

In the case where no font is defined, saveFontInfo() is never called
and the two list pointers are NULL.

This situation may trigger a NULL pointer dereference in
outputSWF_TEXT_RECORD. In this patch, we check for !fip_current
before dereferencing it. In the == NULL case, we print a warning and
continue.

This commit addresses CVE-2017-16883 (fixes libming#77).

@strk strk closed this in f3a66c6 Nov 24, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.