We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bug 1: atribute write caused by a logic bug In function png_load, there is no check for realoc. If the result of realloc is 0, the data will be written into address zimagedatalen. We could control the value of zimagedatalen to achieve atribute write. https://github.com/matthiaskramm/swftools/blob/392fb1f3cd9a5b167787c551615c651c3f5326f2/lib/png.c#L546 https://github.com/matthiaskramm/swftools/blob/392fb1f3cd9a5b167787c551615c651c3f5326f2/lib/png.c#L547
bug 2: crash caused by a logic bug In fuction png_read_chunk, there is no check for malloc. If malloc failed, *destdata=0, fread will write address 0 and crash the binary. https://github.com/matthiaskramm/swftools/blob/54657f9ba3dd4fa3e54c8f8c18f3def7a42d1f1c/src/png2swf.c#L127 https://github.com/matthiaskramm/swftools/blob/54657f9ba3dd4fa3e54c8f8c18f3def7a42d1f1c/src/png2swf.c#L130
bug 3: integer overflow -> heapoverflow In function png_load, both header,width and header.height are 4 bytes, and alleclen_64 is 8 bytes. header,width * header.height *4 may be greater than 8 bytes, which caused integer overflow. Further can cause heap overflow. https://github.com/matthiaskramm/swftools/blob/392fb1f3cd9a5b167787c551615c651c3f5326f2/lib/png.c#L579
The text was updated successfully, but these errors were encountered:
These as well as others have CVEs assigned. See e.g:
https://security-tracker.debian.org/tracker/source-package/swftools
are these going to be addressed?
Sorry, something went wrong.
No branches or pull requests
bug 1: atribute write caused by a logic bug
In function png_load, there is no check for realoc. If the result of realloc is 0, the data will be written into address zimagedatalen. We could control the value of zimagedatalen to achieve atribute write.
https://github.com/matthiaskramm/swftools/blob/392fb1f3cd9a5b167787c551615c651c3f5326f2/lib/png.c#L546
https://github.com/matthiaskramm/swftools/blob/392fb1f3cd9a5b167787c551615c651c3f5326f2/lib/png.c#L547
bug 2: crash caused by a logic bug
In fuction png_read_chunk, there is no check for malloc. If malloc failed, *destdata=0, fread will write address 0 and crash the binary.
https://github.com/matthiaskramm/swftools/blob/54657f9ba3dd4fa3e54c8f8c18f3def7a42d1f1c/src/png2swf.c#L127
https://github.com/matthiaskramm/swftools/blob/54657f9ba3dd4fa3e54c8f8c18f3def7a42d1f1c/src/png2swf.c#L130
bug 3: integer overflow -> heapoverflow
In function png_load, both header,width and header.height are 4 bytes, and alleclen_64 is 8 bytes. header,width * header.height *4 may be greater than 8 bytes, which caused integer overflow. Further can cause heap overflow.
https://github.com/matthiaskramm/swftools/blob/392fb1f3cd9a5b167787c551615c651c3f5326f2/lib/png.c#L579
The text was updated successfully, but these errors were encountered: