You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
png_read_header
parameter a is a char type, and header->bpp is an int type
when a is 0x80, the header->app will become 0xffffff80 by the evaluate operation
A heapoverflow bug of png2swf.
poc: https://drive.google.com/open?id=10RJHlWpMJ0LVWyEqPpvODhH7tyKZbOsR
asan: https://drive.google.com/open?id=1XJI_XKtLFv7gRDPYKSvmAC5RI5sHL6_h
png_read_header
parameter a is a char type, and header->bpp is an int type
when a is 0x80, the header->app will become 0xffffff80 by the evaluate operation
https://github.com/matthiaskramm/swftools/blob/54657f9ba3dd4fa3e54c8f8c18f3def7a42d1f1c/src/png2swf.c#L179
when using bpp, the pos will become a really big number, which caused the heap overflow
https://github.com/matthiaskramm/swftools/blob/392fb1f3cd9a5b167787c551615c651c3f5326f2/lib/png.c#L747
The text was updated successfully, but these errors were encountered: