Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A heapoverflow bug of png2swf. #50

Closed
ghost opened this issue Nov 10, 2017 · 1 comment
Closed

A heapoverflow bug of png2swf. #50

ghost opened this issue Nov 10, 2017 · 1 comment

Comments

@ghost
Copy link

ghost commented Nov 10, 2017

A heapoverflow bug of png2swf.
poc: https://drive.google.com/open?id=10RJHlWpMJ0LVWyEqPpvODhH7tyKZbOsR
asan: https://drive.google.com/open?id=1XJI_XKtLFv7gRDPYKSvmAC5RI5sHL6_h

png_read_header
parameter a is a char type, and header->bpp is an int type
when a is 0x80, the header->app will become 0xffffff80 by the evaluate operation

https://github.com/matthiaskramm/swftools/blob/54657f9ba3dd4fa3e54c8f8c18f3def7a42d1f1c/src/png2swf.c#L179

when using bpp, the pos will become a really big number, which caused the heap overflow

https://github.com/matthiaskramm/swftools/blob/392fb1f3cd9a5b167787c551615c651c3f5326f2/lib/png.c#L747
@yoya yoya mentioned this issue Jan 14, 2020
Merged
@Cvjark Cvjark mentioned this issue Jul 4, 2022
Open
@ousia
Copy link
Contributor

ousia commented May 19, 2024

According to #72 (comment), closing the issue as fixed.

@ousia ousia closed this as completed May 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ousia