We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
poc: https://drive.google.com/open?id=1Z8WmeSap9iPaiUcVJZCIfrkZfvHUSOSa asan: https://drive.google.com/open?id=1v47arABbjZFQyRV_8lSBOT59jKuTW8gT
swfmill/src/SWFReader.cpp the segmentfault happens at
char *Reader::getPStringU30() { byteAlign(); uint32_t len = getU30(); char *dst = new char[len+1]; getData(dst, len); dst[len]=0; return dst; }
uint32_t len is from getU30(); in this function there exists an interger overflow
uint32_t Reader::getU30() { uint32_t r = 0; unsigned char c; for (int i = 0; i < 5; i++) { c = data[pos++]; r |= (c & 0x7F) << (7 * i); if (!(c & 0x80)) { return r; } if (pos > length) { err = Reader::eof; pos = length+1; return 0; } } return r; }
r will be 0xffffffff after parsing.
The text was updated successfully, but these errors were encountered:
No branches or pull requests
poc:
https://drive.google.com/open?id=1Z8WmeSap9iPaiUcVJZCIfrkZfvHUSOSa
asan:
https://drive.google.com/open?id=1v47arABbjZFQyRV_8lSBOT59jKuTW8gT
swfmill/src/SWFReader.cpp
the segmentfault happens at
uint32_t len is from getU30();
in this function there exists an interger overflow
r will be 0xffffffff after parsing.
The text was updated successfully, but these errors were encountered: