Menu
▾
▴
[Ming-cvs] [libming/libming] dc65ba: decompile: Fix null pointer dereference in getInt
|
From: Hugo L. <no...@gi...> - 2020-07-12 20:31:36
|
Branch: refs/heads/master Home: https://github.com/libming/libming Commit: dc65ba0497f4c5ca58be2018e2816e72baf63634 https://github.com/libming/libming/commit/dc65ba0497f4c5ca58be2018e2816e72baf63634 Author: Hugo Lefeuvre <hl...@de...> Date: 2020-07-12 (Sun, 12 Jul 2020) Changed paths: M NEWS M util/decompile.c Log Message: ----------- decompile: Fix null pointer dereference in getInt When getInt is passed a PUSH_REGISTER parameter, it retrieves the content of this register and returns the value contained by this register as an int. When this register is empty, we call getInt with a NULL pointer and a null pointer dereference occurs. In this patch we first make sure that regs[act->p.RegisterNumber] is not NULL before doing anything with it. Fixes #133 (CVE-2018-9132). Commit: 1d698a4b1f03d6136bbf2b0171b86985be553454 https://github.com/libming/libming/commit/1d698a4b1f03d6136bbf2b0171b86985be553454 Author: Hugo Lefeuvre <hl...@de...> Date: 2020-07-12 (Sun, 12 Jul 2020) Changed paths: M NEWS M util/decompile.c Log Message: ----------- decompile: fix use-after-free in decompileJUMP Same issue as f42fdb4 (functions accessing actions array without checking the validity of n, the user entered index), same fix. In this patch we also fix other source code places which might be affected by the same bug. Fixes #131 (CVE-2018-9009). Commit: a6cf16adefcbfe94fef65041b484cb6c4aaa358e https://github.com/libming/libming/commit/a6cf16adefcbfe94fef65041b484cb6c4aaa358e Author: Hugo Lefeuvre <hl...@de...> Date: 2020-07-12 (Sun, 12 Jul 2020) Changed paths: M NEWS M util/swftypes.h Log Message: ----------- swftypes: fix type issue causing memory exhaustion This commit fixes the memory exhaustion issue in parseSWF_ACTIONRECORD (fixes: #109, CVE-2018-7876). The original issue consists is triggered by an integer overflow in parseSWF_ACTIONRECORD, where we read a UI16 and store it in a WORD, which is defined as SI16. This is because type WORD (=SI16) is used for NumParam (in SWF_ACTIONDEFINEFUNCTION), while the specification says it should be UI16 (page 92 of the spec). This patch addresses this type issue by changing type of NumParam from WORD to UI16. Commit: efc75c28e89fe864cf0412d5a5f0b4a451e14509 https://github.com/libming/libming/commit/efc75c28e89fe864cf0412d5a5f0b4a451e14509 Author: Hugo Lefeuvre <hl...@de...> Date: 2020-07-12 (Sun, 12 Jul 2020) Changed paths: M NEWS M util/decompile.c Log Message: ----------- decompile: fix buffer-overflow in getString getString prints a 32 bit integer to a 10 char buffer, but the number itself has 10 digits so there's an overflow. Similar to #116, same fix. Fixes #111, CVE-2018-7873. Commit: 0aab70a3020dd8b4fad66b20995fc691f24a0317 https://github.com/libming/libming/commit/0aab70a3020dd8b4fad66b20995fc691f24a0317 Author: Hugo Lefeuvre <hl...@de...> Date: 2020-07-12 (Sun, 12 Jul 2020) Changed paths: M NEWS M util/decompile.c Log Message: ----------- decompile: fix null pointer dereference in newVar3 getString (indirectly called by getName) is passed a variable of non standard type 10 (= "PUSH_VARIABLE"), which seems to return the string contained in passed variable, without quotes. If contained string is NULL, a NULL pointer is returned, which later causes NULL pointer dereference. In this patch we address this issue such that if the variable contains an invalid string, we act just like in the PUSH_STRING case. Otherwise a copy of the string is returned. Fixes: #118 (CVE-2018-7866). Commit: 6e5a28dc0419e5c6681292db40cbd996fadf9213 https://github.com/libming/libming/commit/6e5a28dc0419e5c6681292db40cbd996fadf9213 Author: Hugo Lefeuvre <hl...@de...> Date: 2020-07-12 (Sun, 12 Jul 2020) Changed paths: M util/decompile.c Log Message: ----------- decompile: introduce new method Offset The getString method in decompile.c is vulnerable to a buffer overflow which can be triggered using a crafted SWF file. This vulnerability is the consequence of unchecked accesses to the actions array when getting the offset of SWF_ACTIONRECORD objects. This pattern is present a bit everywhere in the source code, leading to a large number of potential flaws similar to this one. In this commit we introduce a new Offset method similar to the OpCode method which handles bound checking when retrieving the offset of SWF_ACTIONRECORD objects. This commit also modifies getString to use this newly introduced method and address the previously explained bug. Usage of the newly introduced Offset method will be generalized in a future commit. Please, note that this commit won't be sufficient to fix #144 (CVE-2018-11226) since another issue is triggered by the same sample. Commit: fbbb6f82199de42110c0299e50c5b2f81d8897f4 https://github.com/libming/libming/commit/fbbb6f82199de42110c0299e50c5b2f81d8897f4 Author: Hugo Lefeuvre <hl...@de...> Date: 2020-07-12 (Sun, 12 Jul 2020) Changed paths: M util/decompile.c Log Message: ----------- decompile: fix loop cond issue leading to OOB read In decompileSETTARGET a while loop is used to count the number of operations until a certain type of operation has been reached. This loop uses action_cnt+n < maxn as stop condition, meaning that action_cnt+n = maxn might be true after the loop. This is wrong because action_cnt is used as the number of operations to process in an array of maxn-n-1 elements. Fix the loop's stop condition and switch to for loop for better readability. This patch is the second part of the CVE-2018-11226 fix (fixes: #144). Compare: https://github.com/libming/libming/compare/a009a38dce1d...fbbb6f82199d |
