New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
integer overflow caused by out-of-range left shift in readUInt32 (util/read.c) #98
Comments
|
Hi ProbeFuzzer, Please try reproducing this issue with the latest git revision. This function has changed a lot since 0.4.8. |
|
Hum, looks like the latest git revision is actually affected. I'll request a CVE number and submit a PR. Thanks ! |
hlef
added a commit
to hlef/libming
that referenced
this issue
Jan 11, 2018
This vulnerability is caused by a regression introduced in d468907. In this commit we cast the result of readUInt8(f) before left shifting by 24 in order to avoid out of range shift. This commit fixes: libming#98.
hlef
added a commit
to hlef/libming
that referenced
this issue
Jan 11, 2018
|
For the record, this issue has been assigned CVE ID CVE-2018-5251. |
|
@hlef Thanks a lot for fixing this vulnerability. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
on 0.4.8 (the latest version):
there is a out-of-range left shift in the readUInt32 function (util/read.c), which can cause denial of service via a crafted swf file.
src/util/read.c:181:26: runtime error: left shift of 128 by 24 places cannot be represented in type 'int'
To reproduce the issue, compile libming with UBSAN "-fsanitize=undefined",
then execute: listswf $POC
The POC file can be downloaded from:
https://github.com/ProbeFuzzer/poc/blob/master/libming/libming_0-4-8_listswf_integer-overflow_readUInt32.swf
The text was updated successfully, but these errors were encountered: