New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
left shift of a negative value in readSBits (util/read.c) #97
Comments
|
Could not reproduce on latest git revision, but it is very likely to be affected. I will do some extended testing later. |
hlef
added a commit
to hlef/libming
that referenced
this issue
Jan 11, 2018
Check for !number before left-shifting by (number-1). This commit fixes: libming#97.
hlef
added a commit
to hlef/libming
that referenced
this issue
Jan 11, 2018
|
For the record, this issue has been assigned CVE ID CVE-2018-5294. |
|
@hlef Thanks a lot for fixing this vulnerability. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
on 0.4.8 (the latest version):
there is a left shift of a negative value in the readSBits function (util/read.c), which can cause denial of service via a crafted swf file.
src/util/read.c:110:14: runtime error: shift exponent -1 is negative
To reproduce the issue, compile libming with UBSAN "-fsanitize=undefined",
then execute: listswf $POC
The POC file can be downloaded from:
https://github.com/youwei1988/poc/blob/master/libming/libming_0-4-8_listswf_negative-shift-exponent_readSBits.swf
The text was updated successfully, but these errors were encountered: