New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
There is crash in listswf tool of libming by a crafted input that will lead to a DoS damage. #86
Comments
|
This has been assigned CVE-2017-9989 |
|
ok,thank you very much.
发自网易邮箱大师
On 07/19/2017 22:26, Emilio Pozuelo Monfort wrote: This has been assigned CVE-2017-9989
—You are receiving this because you authored the thread.Reply to this email directly, view it on GitHub, or mute the thread.
{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/libming/libming","title":"libming/libming","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/libming/libming"}},"updates":{"snippets":[{"icon":"PERSON","message":"@epozuelo in #86: This has been assigned CVE-2017-9989"}],"action":{"name":"View Issue","url":"#86 (comment)"}}}
|
|
Please, note that this issue isn't fixed by 2027b24, the overflow is still present. A possible fix would be to change This should not be a problem because if |
|
+1 for changing readBytes signature to take unsigned
|
The POC is got from https://github.com/owl337/pocs/blob/master/libswf_POC2.rar
Description:
The debugging information is as follows:
There is previous incorrect operation cause si->size too large that make malloc memory failure. It leads the program crash in outputtxt.c:2229 , the details is below.
outputtxt.c:2228 buffer = malloc(si->Size+1);//si->Size is too large buffer is NULL,malloc failure
outputtxt.c:2229 memset(buffer, 0, si->Size+1);//cause NULL pointer deference
$gdb ./listswf
(gdb) set args POC2
(gdb) r
...
(gdb) bt
(gdb) bt
#0 __memset_sse2 () at ../sysdeps/x86_64/multiarch/../memset.S:78
#1 0x000000000040e0f3 in outputABC_STRING_INFO (si=)
at outputtxt.c:2229
#2 outputStringConstant (abc=, strIndex=)
at outputtxt.c:2449
#3 0x000000000040ec79 in outputABC_METADATA_INFO (abc=0x676250,
mi=0x7ffff00020f8) at outputtxt.c:2563
#4 0x000000000040ff01 in outputABC_FILE (abc=0x676250) at outputtxt.c:2772
#5 0x000000000040b0ca in outputBlock (type=, blockp=0x676240,
stream=) at outputtxt.c:2933
#6 0x00000000004120c6 in readMovie (f=) at main.c:277
#7 main (argc=, argv=) at main.c:350
Credits:
This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
The text was updated successfully, but these errors were encountered: