bug1 : an heap-buffer-overflow bug of swfmill swf2xml #46

ghost · 2018-07-01T13:47:32Z

poc:
https://drive.google.com/open?id=1hBFvf2l1Jp8elvm6-HMNf_b6bqd1DzKC
asan:
https://drive.google.com/open?id=1btf-tyhwl4bzXNgidrYk96xf43RhqOO7

an interger overflow happens at line 3925 of gSWFParser.cpp

{
      int sz = len;

      data = new unsigned char[ sz ];
      r->getData( data, sz );
  }

the sz comes from len, and when len becomes a really big interger, the new will return false.
len is a private member of namespace SWF,

namespace SWF {

    template <class T>
    class IdItem : public Item {
        protected:
            IdItem() { type = 0; len = 0; }

            int getHeaderSize(int size) { return 8; }
            void writeHeader(Writer *w, Context *ctx, size_t len) { w->putByte(type); }

            void setType(int t) { type = t; }
            int getType() { return type; }

            void setLength(int l) { len = l; }
            int getLength() { return len; }

            int type;
            int len;

in the function get
Filter *Filter::get(Reader *r, int end, Context *ctx) {
the len is from
int len = end - r->getPosition();
and it will be a negative number , that's why the new operation fail.

The text was updated successfully, but these errors were encountered:

ghost changed the title ~~bug1 of : an heap-buffer-overflow bug of swfmill swf2xml~~ bug1 : an heap-buffer-overflow bug of swfmill swf2xml Jul 1, 2018

djcsdy added the bug label Jul 2, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

bug1 : an heap-buffer-overflow bug of swfmill swf2xml #46

bug1 : an heap-buffer-overflow bug of swfmill swf2xml #46

ghost commented Jul 1, 2018 •

edited by ghost

Loading

bug1 : an heap-buffer-overflow bug of swfmill swf2xml #46

bug1 : an heap-buffer-overflow bug of swfmill swf2xml #46

Comments

ghost commented Jul 1, 2018 • edited by ghost Loading

ghost commented Jul 1, 2018 •

edited by ghost

Loading