bug 1: atribute write caused by a logic bug
In function png_load, there is no check for realoc. If the result of realloc is 0, the data will be written into address zimagedatalen. We could control the value of zimagedatalen to achieve atribute write.
bug 2: crash caused by a logic bug
In fuction png_read_chunk, there is no check for malloc. If malloc failed, *destdata=0, fread will write address 0 and crash the binary.
bug 3: integer overflow -> heapoverflow
In function png_load, both header,width and header.height are 4 bytes, and alleclen_64 is 8 bytes. header,width * header.height *4 may be greater than 8 bytes, which caused integer overflow. Further can cause heap overflow.
bug 1: atribute write caused by a logic bug
In function png_load, there is no check for realoc. If the result of realloc is 0, the data will be written into address zimagedatalen. We could control the value of zimagedatalen to achieve atribute write.
swftools/lib/png.c
Line 546 in 392fb1f
swftools/lib/png.c
Line 547 in 392fb1f
bug 2: crash caused by a logic bug
In fuction png_read_chunk, there is no check for malloc. If malloc failed, *destdata=0, fread will write address 0 and crash the binary.
swftools/src/png2swf.c
Line 127 in 54657f9
swftools/src/png2swf.c
Line 130 in 54657f9
bug 3: integer overflow -> heapoverflow
In function png_load, both header,width and header.height are 4 bytes, and alleclen_64 is 8 bytes. header,width * header.height *4 may be greater than 8 bytes, which caused integer overflow. Further can cause heap overflow.
swftools/lib/png.c
Line 579 in 392fb1f
The text was updated successfully, but these errors were encountered: