libming:invalid memory read in OpCode

Description

Ming is a library for generating Macromedia Flash files (.swf), written in C, and  for working includes useful utilities king with .swf files.

An invalid memory read vulnerability was found in function OpCode in decompile.c, which allows attackers to cause a denial of service via a crafted file.

#swftocxx $FILE out
=================================================================
SEGV on unknown address 0x60dffffffff0 (pc 0x000000566254 bp 0x2028656c696877 sp 0x7ffda7ccab50 T0)
==20555==The signal is caused by a READ memory access.
    #0 0x566253 in OpCode /home/haojun/Downloads/libming-master/util/decompile.c:868:37
    #1 0x566253 in isLogicalOp /home/haojun/Downloads/libming-master/util/decompile.c:1193
    #2 0x566253 in decompileIF /home/haojun/Downloads/libming-master/util/decompile.c:2332
    #3 0x5875eb in decompileActions /home/haojun/Downloads/libming-master/util/decompile.c:3401:6
    #4 0x5875eb in decompile5Action /home/haojun/Downloads/libming-master/util/decompile.c:3423
    #5 0x52a0c5 in outputSWF_DOACTION /home/haojun/Downloads/libming-master/util/outputscript.c:1548:29
    #6 0x531311 in readMovie /home/haojun/Downloads/libming-master/util/main.c:277:4
    #7 0x531311 in main /home/haojun/Downloads/libming-master/util/main.c:350
    #8 0x7f1829051b34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274
    #9 0x41ae7b in _start (/home/haojun/Downloads/libming-afl-build/bin/swftocxx+0x41ae7b)

SEGV /home/haojun/Downloads/libming-master/util/decompile.c:868:37 in OpCode
==20555==ABORTING
Affected version: latest version
Fixed version:N/A
Commit fix:N/A
Credit: ADLab of Venustech.
CVE:N/A
Reproducer:
Timeline:
2017-06-07:bug discovered and reported to the libming GitHub issue page
2017-07-24:blog post about the issue
Permalink:
https://somevulnsofadlab.blogspot.com/2017/07/libminginvalid-memory-read-in-opcode.html

评论

此博客中的热门博文

Poppler:stack buffer overflow in GfxImageColorMap::getGray

LibTIFF:memory leak in _TIFFmalloc

lrzip:stack buffer overflow in get_fileinfo