New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

left shift of a negative value in readSBits (util/read.c) #97

Closed
youwei1988 opened this Issue Jan 4, 2018 · 3 comments

Comments

Projects
None yet
3 participants
@youwei1988

youwei1988 commented Jan 4, 2018

on 0.4.8 (the latest version):
there is a left shift of a negative value in the readSBits function (util/read.c), which can cause denial of service via a crafted swf file.

src/util/read.c:110:14: runtime error: shift exponent -1 is negative

To reproduce the issue, compile libming with UBSAN "-fsanitize=undefined",
then execute: listswf $POC

The POC file can be downloaded from:
https://github.com/youwei1988/poc/blob/master/libming/libming_0-4-8_listswf_negative-shift-exponent_readSBits.swf

@hlef

This comment has been minimized.

Show comment
Hide comment
@hlef

hlef Jan 10, 2018

Contributor

Could not reproduce on latest git revision, but it is very likely to be affected. I will do some extended testing later.

Contributor

hlef commented Jan 10, 2018

Could not reproduce on latest git revision, but it is very likely to be affected. I will do some extended testing later.

hlef added a commit to hlef/libming that referenced this issue Jan 11, 2018

Fix left shift of a negative value in readSBits.
Check for !number before left-shifting by (number-1).

This commit fixes: libming#97.

hlef added a commit to hlef/libming that referenced this issue Jan 11, 2018

@hlef

This comment has been minimized.

Show comment
Hide comment
@hlef

hlef Jan 11, 2018

Contributor

For the record, this issue has been assigned CVE ID CVE-2018-5294.

Contributor

hlef commented Jan 11, 2018

For the record, this issue has been assigned CVE ID CVE-2018-5294.

@ProbeFuzzer

This comment has been minimized.

Show comment
Hide comment
@ProbeFuzzer

ProbeFuzzer Jan 16, 2018

@hlef Thanks a lot for fixing this vulnerability.

ProbeFuzzer commented Jan 16, 2018

@hlef Thanks a lot for fixing this vulnerability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment