Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

invalid memory read in OpCode #84

Closed
bestshow opened this issue Jun 8, 2017 · 1 comment
Closed

invalid memory read in OpCode #84

bestshow opened this issue Jun 8, 2017 · 1 comment

Comments

@bestshow
Copy link

bestshow commented Jun 8, 2017

On libming latest version, an invalid memory read was found in function OpCode .

#swftocxx $FILE out
=================================================================
SEGV on unknown address 0x60dffffffff0 (pc 0x000000566254 bp 0x2028656c696877 sp 0x7ffda7ccab50 T0)
==20555==The signal is caused by a READ memory access.
    #0 0x566253 in OpCode /home/haojun/Downloads/libming-master/util/decompile.c:868:37
    #1 0x566253 in isLogicalOp /home/haojun/Downloads/libming-master/util/decompile.c:1193
    #2 0x566253 in decompileIF /home/haojun/Downloads/libming-master/util/decompile.c:2332
    #3 0x5875eb in decompileActions /home/haojun/Downloads/libming-master/util/decompile.c:3401:6
    #4 0x5875eb in decompile5Action /home/haojun/Downloads/libming-master/util/decompile.c:3423
    #5 0x52a0c5 in outputSWF_DOACTION /home/haojun/Downloads/libming-master/util/outputscript.c:1548:29
    #6 0x531311 in readMovie /home/haojun/Downloads/libming-master/util/main.c:277:4
    #7 0x531311 in main /home/haojun/Downloads/libming-master/util/main.c:350
    #8 0x7f1829051b34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274
    #9 0x41ae7b in _start (/home/haojun/Downloads/libming-afl-build/bin/swftocxx+0x41ae7b)

SEGV /home/haojun/Downloads/libming-master/util/decompile.c:868:37 in OpCode
==20555==ABORTING

testcase : https://github.com/bestshow/p0cs/blob/master/invalid-memory-read-in_OpCode
Credit : ADLab of Venustech

@hlef
Copy link
Contributor

hlef commented Oct 6, 2017

First problem here: Again, OpCode is called with n = 0. This should be fixed by #89.

Second problem: Again, sact->numActions can be 0 in decompileIF. This was fixed by #88.

Applying both patches seems to fix the issue.

For the record, this issue was assigned ID CVE-2017-11731.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants