Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug 5: heap oob read (info leak) bug of swfmill swf2xml #50

Open
ghost opened this issue Jul 1, 2018 · 0 comments
Open

bug 5: heap oob read (info leak) bug of swfmill swf2xml #50

ghost opened this issue Jul 1, 2018 · 0 comments
Labels
bug

Comments

@ghost
Copy link

ghost commented Jul 1, 2018

poc:
https://drive.google.com/open?id=1QtKIySFez4q1XG7UzRAOwN0cZ_s3urhd
asan:
https://drive.google.com/open?id=1lrD-UBZEKFZggTyIUtYcdQQJzN9fkAJD

bool DefineSceneAndFrameLabelData::parse( Reader *r, int end, Context *ctx ) {
file_offset = r->getPosition();
if( ctx->debugTrace ) {
fprintf( stderr, "PARSE %s @%i-%i :%i\n",
"DefineSceneAndFrameLabelData",
r->getPosition(),
r->getBits(),
end );
}

sceneCount = r->getEncodedU32();
if( ctx->debugTrace ) {
fprintf( stderr, "PARSE %s: %" PRIi32 "\n",
"sceneCount",
sceneCount );
}


{
if( ctx->debugTrace ) {
fprintf( stderr, "PARSE list<%s> %s: %i items, @%i-%i :%i\n",
"Scene",
"scenes",
sceneCount,
r->getPosition(),
r->getBits(),
end );
}
Scene *item;
for( int i=0; i<sceneCount; i++ ) {
item = Scene::get(r,end,ctx);
scenes.append( item );
}
}

Scene* Scene::get( Reader *r, int end, Context *ctx ) {
Scene* ret = new Scene;
ret->parse( r, end, ctx );
return ret;
}

bool Scene::parse( Reader *r, int end, Context *ctx ) {
file_offset = r->getPosition();
if( ctx->debugTrace ) {
fprintf( stderr, "PARSE %s @%i-%i :%i\n",
"Scene",
r->getPosition(),
r->getBits(),
end );
}

offset = r->getEncodedU32();
if( ctx->debugTrace ) {
fprintf( stderr, "PARSE %s: %" PRIi32 "\n",
"offset",
offset );
}
name = r->getString();
if( ctx->debugTrace ) {
fprintf( stderr, "PARSE %s: %s\n",
"name",
name );
}


return r->getError() == Reader::ok;
}

the val end is useless!
Due to that the val sceneCount is set based on the value from file (r->getEncodedU32()), this value can be faked!
In the loop below, for( int i=0; i<sceneCount; i++ ), it will execute Scene::get many times without checking.
So Heap Out-of-bound Read will happen, which may cause memory leaking!
@djcsdy djcsdy added the bug label Jul 2, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@djcsdy