3 bugs of png2swf #51
Comments
|
These as well as others have CVEs assigned. See e.g: https://security-tracker.debian.org/tracker/source-package/swftools are these going to be addressed? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
bug 1: atribute write caused by a logic bug
In function png_load, there is no check for realoc. If the result of realloc is 0, the data will be written into address zimagedatalen. We could control the value of zimagedatalen to achieve atribute write.
https://github.com/matthiaskramm/swftools/blob/392fb1f3cd9a5b167787c551615c651c3f5326f2/lib/png.c#L546
https://github.com/matthiaskramm/swftools/blob/392fb1f3cd9a5b167787c551615c651c3f5326f2/lib/png.c#L547
bug 2: crash caused by a logic bug
In fuction png_read_chunk, there is no check for malloc. If malloc failed, *destdata=0, fread will write address 0 and crash the binary.
https://github.com/matthiaskramm/swftools/blob/54657f9ba3dd4fa3e54c8f8c18f3def7a42d1f1c/src/png2swf.c#L127
https://github.com/matthiaskramm/swftools/blob/54657f9ba3dd4fa3e54c8f8c18f3def7a42d1f1c/src/png2swf.c#L130
bug 3: integer overflow -> heapoverflow
In function png_load, both header,width and header.height are 4 bytes, and alleclen_64 is 8 bytes. header,width * header.height *4 may be greater than 8 bytes, which caused integer overflow. Further can cause heap overflow.
https://github.com/matthiaskramm/swftools/blob/392fb1f3cd9a5b167787c551615c651c3f5326f2/lib/png.c#L579
The text was updated successfully, but these errors were encountered: