New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A null pointer dereference bug of swfrender #46
Comments
|
Patch Suggestion: |
|
Do you plan to address this vulnerability? :) |
|
swf_JPEG2TagToImage extracts an image from a JPEG2 / JPEG3 tag and returns it as an RGBA array. First, it's wrong to return a NULL RGBA array for Alphadata inflation failed. Removing line "return 0;"(=NULL) allows to continue the process and use the partially inflated Alphadata without wasting previously decoded JPEG data. At this point, CVE-2017-16711 will be superficially resolved. Second, If we want to be more safety, we need to take care of those code reference the RGBA array without checking for NULL. |
|
I'm sorry. The problem pointed out by CVE-2017-16711 is swf_DefineLosslessBitsTagToImage. |
|
Thanks for analyzing these, Yoya! Any chance you could send me a pull request? |
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16711 Code modification to continue processing even if zlib infrate of image fails. The current code returns 0(NULL) as an RGBA array when the zlib infrate of the image fails, so a segmentation fault occurs at the location that references it. ref) matthiaskramm#46
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16711 Code modification to continue processing even if zlib infrate of image fails. The current code returns 0(NULL) as an RGBA array when the zlib infrate of the image fails, so a segmentation fault occurs at the location that references it. ref) #46
A null pointer dereference bug of swfrender
poc: https://drive.google.com/open?id=1GnHnojAXyZuAC-KkUIvRZTWFc0Popv3i
asan: https://drive.google.com/open?id=1wLHRbskl0CQPXA6IkLH01pP2dbhlWyIK
the problem is in the function uncompress
swftools/lib/modules/swfbits.c
Line 987 in 54657f9
when function uncompress failed, this function will return 0
swftools/lib/modules/swfbits.c
Line 990 in 54657f9
so the *swf_ExtractImage will return 0.
https://github.com/matthiaskramm/swftools/blob/master/lib/readers/swf.c#L405
data will be a NULL when construct it.
void *data = swf_ExtractImage(tag, &width, &height);
After that, gfximage_new will make a new struct in which the data is a NULL pointer.
it caused a NULL pointer reference when calling fill_line_bitmap
swftools/lib/devices/render.c
Line 352 in 54657f9
The text was updated successfully, but these errors were encountered: