Menu
▾
▴
ming-cvs — watch code changes
You can subscribe to this list here.
| 2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(41) |
Dec
(95) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2007 |
Jan
(48) |
Feb
(80) |
Mar
(140) |
Apr
(140) |
May
(42) |
Jun
(35) |
Jul
(67) |
Aug
(89) |
Sep
(159) |
Oct
(143) |
Nov
(177) |
Dec
(36) |
| 2008 |
Jan
(141) |
Feb
(194) |
Mar
(45) |
Apr
(69) |
May
(76) |
Jun
(111) |
Jul
(69) |
Aug
(2) |
Sep
(30) |
Oct
(26) |
Nov
(6) |
Dec
(19) |
| 2009 |
Jan
(27) |
Feb
(45) |
Mar
(92) |
Apr
|
May
(15) |
Jun
(14) |
Jul
|
Aug
(2) |
Sep
(22) |
Oct
(44) |
Nov
(5) |
Dec
(19) |
| 2010 |
Jan
(32) |
Feb
(5) |
Mar
(6) |
Apr
(3) |
May
(11) |
Jun
(7) |
Jul
(1) |
Aug
(9) |
Sep
(1) |
Oct
(3) |
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
|
Mar
(33) |
Apr
|
May
(3) |
Jun
|
Jul
(4) |
Aug
|
Sep
(2) |
Oct
(11) |
Nov
|
Dec
(5) |
| 2012 |
Jan
|
Feb
|
Mar
(5) |
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(9) |
Jul
|
Aug
|
Sep
(3) |
Oct
|
Nov
|
Dec
|
| 2014 |
Jan
(10) |
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
(1) |
Jul
|
Aug
(1) |
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2015 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(10) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2016 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2017 |
Jan
(1) |
Feb
|
Mar
(3) |
Apr
(6) |
May
|
Jun
(5) |
Jul
(1) |
Aug
|
Sep
|
Oct
(14) |
Nov
(1) |
Dec
(1) |
| 2018 |
Jan
(3) |
Feb
(1) |
Mar
(3) |
Apr
|
May
(2) |
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2020 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(10) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Sandro S. <no...@gi...> - 2020-07-23 05:13:59
|
Branch: refs/heads/master Home: https://github.com/libming/libming Commit: 04aee52363688426eab74f5d6180c149654a6473 https://github.com/libming/libming/commit/04aee52363688426eab74f5d6180c149654a6473 Author: Sandro Santilli <st...@kb...> Date: 2020-07-23 (Thu, 23 Jul 2020) Changed paths: M configure.ac R macros/python.m4 Log Message: ----------- Drop unused python macro |
|
From: Sandro S. <no...@gi...> - 2020-07-22 21:05:31
|
Branch: refs/heads/master Home: https://github.com/libming/libming Commit: e964bae90a9ddf2f1fbdedcc9e6288858ad1fad5 https://github.com/libming/libming/commit/e964bae90a9ddf2f1fbdedcc9e6288858ad1fad5 Author: Sandro Santilli <st...@kb...> Date: 2020-07-22 (Wed, 22 Jul 2020) Changed paths: R .travis.yml M README Log Message: ----------- Replace travis with github actions Commit: b955352f204c3d1969044bf99760587ddffe7438 https://github.com/libming/libming/commit/b955352f204c3d1969044bf99760587ddffe7438 Author: Sandro Santilli <st...@kb...> Date: 2020-07-22 (Wed, 22 Jul 2020) Changed paths: M .github/workflows/ci.yml Log Message: ----------- Install whatever php version is found on the system Compare: https://github.com/libming/libming/compare/a989ee9e3072...b955352f204c |
|
From: Sandro S. <no...@gi...> - 2020-07-22 21:01:22
|
Branch: refs/heads/master Home: https://github.com/libming/libming Commit: a989ee9e30723b3feab0284e626b38fd6284cc72 https://github.com/libming/libming/commit/a989ee9e30723b3feab0284e626b38fd6284cc72 Author: Sandro Santilli <st...@kb...> Date: 2020-07-22 (Wed, 22 Jul 2020) Changed paths: M .gitignore R config/compile R config/depcomp R config/missing Log Message: ----------- Remove files generated by ./autogen.sh |
|
From: Sandro S. <no...@gi...> - 2020-07-22 20:57:53
|
Branch: refs/heads/master Home: https://github.com/libming/libming Commit: a02a1774aab84edadcd37e3ec63f96d2b1739b27 https://github.com/libming/libming/commit/a02a1774aab84edadcd37e3ec63f96d2b1739b27 Author: Sandro Santilli <st...@kb...> Date: 2020-07-22 (Wed, 22 Jul 2020) Changed paths: R .github/workflow/ci.yml A .github/workflows/ci.yml Log Message: ----------- [github] Rename workflow to workflows... |
|
From: Sandro S. <no...@gi...> - 2020-07-22 20:57:02
|
Branch: refs/heads/master Home: https://github.com/libming/libming Commit: 162c4018e79aa570c728405233545e9ad79f32e2 https://github.com/libming/libming/commit/162c4018e79aa570c728405233545e9ad79f32e2 Author: Sandro Santilli <st...@kb...> Date: 2020-07-22 (Wed, 22 Jul 2020) Changed paths: M .github/workflow/ci.yml Log Message: ----------- Add name to workflow |
|
From: Tom S. <no...@gi...> - 2020-07-22 20:53:19
|
Branch: refs/heads/master Home: https://github.com/libming/libming Commit: 9a915ff77725ec79bf8bcdb28262677423e6fee4 https://github.com/libming/libming/commit/9a915ff77725ec79bf8bcdb28262677423e6fee4 Author: Tom Stellard <tst...@re...> Date: 2020-07-22 (Wed, 22 Jul 2020) Changed paths: M test/FillStyle/test07-cxx.C M test/FillStyle/test08-cxx.C M test/Movie/Background/test01-cxx.C M test/Movie/Background/test02-cxx.C M test/Movie/Background/test03-cxx.C M test/Movie/Dimension/test01-cxx.C M test/Movie/FrameLabel/test01-cxx.C M test/Movie/FrameLabel/test02-cxx.C M test/Movie/NumFrames/test01-cxx.C M test/Movie/Protect/test01-cxx.C M test/Movie/Protect/test02-cxx.C M test/Movie/Rate/test01-cxx.C M test/Movie/add/test01-cxx.C M test/Movie/add/test02-cxx.C M test/Movie/addMetadata/test01-cxx.C M test/Movie/new/test01-cxx.C M test/Movie/new/test02-cxx.C M test/Movie/new/test03-cxx.C M test/Movie/new/test04-cxx.C M test/Movie/new/test05-cxx.C M test/Movie/new/test06-cxx.C M test/Movie/new/test07-cxx.C M test/Movie/nextFrame/test01-cxx.C M test/Movie/nextFrame/test02-cxx.C Log Message: ----------- Fix compilation of tests with clang These were failing to build with this error: error: C++ requires a type specifier for all declarations |
|
From: Sandro S. <no...@gi...> - 2020-07-22 20:51:50
|
Branch: refs/heads/master Home: https://github.com/libming/libming Commit: 7a0809cc5a09a140a6bae318f6085be5ada60c92 https://github.com/libming/libming/commit/7a0809cc5a09a140a6bae318f6085be5ada60c92 Author: Sandro Santilli <st...@kb...> Date: 2020-07-22 (Wed, 22 Jul 2020) Changed paths: A .github/workflow/ci.yml Log Message: ----------- Add github action for testing code |
|
From: Sandro S. <no...@gi...> - 2020-07-22 20:44:22
|
Branch: refs/heads/master Home: https://github.com/libming/libming Commit: 1b26ac4c9c403f8c42e8c5f36b13b589ea88addb https://github.com/libming/libming/commit/1b26ac4c9c403f8c42e8c5f36b13b589ea88addb Author: Sandro Santilli <st...@kb...> Date: 2020-07-22 (Wed, 22 Jul 2020) Changed paths: M util/outputscript.c Log Message: ----------- Include type specifier for main() function in CXX output See #198 |
|
From: Hugo L. <no...@gi...> - 2020-07-12 20:31:36
|
Branch: refs/heads/master Home: https://github.com/libming/libming Commit: dc65ba0497f4c5ca58be2018e2816e72baf63634 https://github.com/libming/libming/commit/dc65ba0497f4c5ca58be2018e2816e72baf63634 Author: Hugo Lefeuvre <hl...@de...> Date: 2020-07-12 (Sun, 12 Jul 2020) Changed paths: M NEWS M util/decompile.c Log Message: ----------- decompile: Fix null pointer dereference in getInt When getInt is passed a PUSH_REGISTER parameter, it retrieves the content of this register and returns the value contained by this register as an int. When this register is empty, we call getInt with a NULL pointer and a null pointer dereference occurs. In this patch we first make sure that regs[act->p.RegisterNumber] is not NULL before doing anything with it. Fixes #133 (CVE-2018-9132). Commit: 1d698a4b1f03d6136bbf2b0171b86985be553454 https://github.com/libming/libming/commit/1d698a4b1f03d6136bbf2b0171b86985be553454 Author: Hugo Lefeuvre <hl...@de...> Date: 2020-07-12 (Sun, 12 Jul 2020) Changed paths: M NEWS M util/decompile.c Log Message: ----------- decompile: fix use-after-free in decompileJUMP Same issue as f42fdb4 (functions accessing actions array without checking the validity of n, the user entered index), same fix. In this patch we also fix other source code places which might be affected by the same bug. Fixes #131 (CVE-2018-9009). Commit: a6cf16adefcbfe94fef65041b484cb6c4aaa358e https://github.com/libming/libming/commit/a6cf16adefcbfe94fef65041b484cb6c4aaa358e Author: Hugo Lefeuvre <hl...@de...> Date: 2020-07-12 (Sun, 12 Jul 2020) Changed paths: M NEWS M util/swftypes.h Log Message: ----------- swftypes: fix type issue causing memory exhaustion This commit fixes the memory exhaustion issue in parseSWF_ACTIONRECORD (fixes: #109, CVE-2018-7876). The original issue consists is triggered by an integer overflow in parseSWF_ACTIONRECORD, where we read a UI16 and store it in a WORD, which is defined as SI16. This is because type WORD (=SI16) is used for NumParam (in SWF_ACTIONDEFINEFUNCTION), while the specification says it should be UI16 (page 92 of the spec). This patch addresses this type issue by changing type of NumParam from WORD to UI16. Commit: efc75c28e89fe864cf0412d5a5f0b4a451e14509 https://github.com/libming/libming/commit/efc75c28e89fe864cf0412d5a5f0b4a451e14509 Author: Hugo Lefeuvre <hl...@de...> Date: 2020-07-12 (Sun, 12 Jul 2020) Changed paths: M NEWS M util/decompile.c Log Message: ----------- decompile: fix buffer-overflow in getString getString prints a 32 bit integer to a 10 char buffer, but the number itself has 10 digits so there's an overflow. Similar to #116, same fix. Fixes #111, CVE-2018-7873. Commit: 0aab70a3020dd8b4fad66b20995fc691f24a0317 https://github.com/libming/libming/commit/0aab70a3020dd8b4fad66b20995fc691f24a0317 Author: Hugo Lefeuvre <hl...@de...> Date: 2020-07-12 (Sun, 12 Jul 2020) Changed paths: M NEWS M util/decompile.c Log Message: ----------- decompile: fix null pointer dereference in newVar3 getString (indirectly called by getName) is passed a variable of non standard type 10 (= "PUSH_VARIABLE"), which seems to return the string contained in passed variable, without quotes. If contained string is NULL, a NULL pointer is returned, which later causes NULL pointer dereference. In this patch we address this issue such that if the variable contains an invalid string, we act just like in the PUSH_STRING case. Otherwise a copy of the string is returned. Fixes: #118 (CVE-2018-7866). Commit: 6e5a28dc0419e5c6681292db40cbd996fadf9213 https://github.com/libming/libming/commit/6e5a28dc0419e5c6681292db40cbd996fadf9213 Author: Hugo Lefeuvre <hl...@de...> Date: 2020-07-12 (Sun, 12 Jul 2020) Changed paths: M util/decompile.c Log Message: ----------- decompile: introduce new method Offset The getString method in decompile.c is vulnerable to a buffer overflow which can be triggered using a crafted SWF file. This vulnerability is the consequence of unchecked accesses to the actions array when getting the offset of SWF_ACTIONRECORD objects. This pattern is present a bit everywhere in the source code, leading to a large number of potential flaws similar to this one. In this commit we introduce a new Offset method similar to the OpCode method which handles bound checking when retrieving the offset of SWF_ACTIONRECORD objects. This commit also modifies getString to use this newly introduced method and address the previously explained bug. Usage of the newly introduced Offset method will be generalized in a future commit. Please, note that this commit won't be sufficient to fix #144 (CVE-2018-11226) since another issue is triggered by the same sample. Commit: fbbb6f82199de42110c0299e50c5b2f81d8897f4 https://github.com/libming/libming/commit/fbbb6f82199de42110c0299e50c5b2f81d8897f4 Author: Hugo Lefeuvre <hl...@de...> Date: 2020-07-12 (Sun, 12 Jul 2020) Changed paths: M util/decompile.c Log Message: ----------- decompile: fix loop cond issue leading to OOB read In decompileSETTARGET a while loop is used to count the number of operations until a certain type of operation has been reached. This loop uses action_cnt+n < maxn as stop condition, meaning that action_cnt+n = maxn might be true after the loop. This is wrong because action_cnt is used as the number of operations to process in an array of maxn-n-1 elements. Fix the loop's stop condition and switch to for loop for better readability. This patch is the second part of the CVE-2018-11226 fix (fixes: #144). Compare: https://github.com/libming/libming/compare/a009a38dce1d...fbbb6f82199d |
|
From: Sandro S. <no...@gi...> - 2020-07-12 20:29:36
|
Branch: refs/heads/master Home: https://github.com/libming/libming Commit: 6e76e8c71cb51c8ba0aa9737a636b9ac3029887f https://github.com/libming/libming/commit/6e76e8c71cb51c8ba0aa9737a636b9ac3029887f Author: Young Xiao <Ya...@ho...> Date: 2020-07-12 (Sun, 12 Jul 2020) Changed paths: M src/blocks/shape.c Log Message: ----------- SWFShape_setLeftFillStyle: prevent fill overflow Commit: da9d86eab55cbf608d5c916b8b690f5b76bca462 https://github.com/libming/libming/commit/da9d86eab55cbf608d5c916b8b690f5b76bca462 Author: Young Xiao <Ya...@ho...> Date: 2020-07-12 (Sun, 12 Jul 2020) Changed paths: M util/decompile.c Log Message: ----------- decompileAction: Prevent heap buffer overflow and underflow with using OpCode Commit: a009a38dce1d9316cad1ab522b813b1d5ba4c62a https://github.com/libming/libming/commit/a009a38dce1d9316cad1ab522b813b1d5ba4c62a Author: Young Xiao <Ya...@ho...> Date: 2020-07-12 (Sun, 12 Jul 2020) Changed paths: M src/blocks/input.c Log Message: ----------- Fix left shift of a negative value in SWFInput_readSBits. Check for number before before left-shifting by (number-1). Compare: https://github.com/libming/libming/compare/50098023446a...a009a38dce1d |
|
From: GitHub <no...@gi...> - 2018-11-12 20:24:26
|
Branch: refs/heads/master Home: https://github.com/libming/libming Commit: 50098023446a5412efcfbd40552821a8cba983a6 https://github.com/libming/libming/commit/50098023446a5412efcfbd40552821a8cba983a6 Author: Jakub Jankiewicz <jc...@on...> Date: 2018-11-12 (Mon, 12 Nov 2018) Changed paths: M README Log Message: ----------- fix markdown link in README **NOTE:** This service has been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/ Functionality will be removed from GitHub.com on January 31st, 2019. |
|
From: GitHub <no...@gi...> - 2018-07-10 21:21:36
|
Branch: refs/heads/master Home: https://github.com/libming/libming Commit: a89a619e187ebe070db2a1760f3b90489bfff382 https://github.com/libming/libming/commit/a89a619e187ebe070db2a1760f3b90489bfff382 Author: Lars Wendler <pol...@ge...> Date: 2018-07-10 (Tue, 10 Jul 2018) Changed paths: M configure.ac Log Message: ----------- Use pkg-config to find freetype As of freetype-2.9.1 the freetype-config script has been deprecated and is no longer shipped by default. **NOTE:** This service been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/ Functionality will be removed from GitHub.com on January 31st, 2019. |
|
From: GitHub <no...@gi...> - 2018-05-20 15:10:24
|
Branch: refs/heads/master Home: https://github.com/libming/libming Commit: 5b3b9c1bcf4fbf74c40461292405ce5a1f196731 https://github.com/libming/libming/commit/5b3b9c1bcf4fbf74c40461292405ce5a1f196731 Author: Sandro Santilli <st...@kb...> Date: 2018-05-20 (Sun, 20 May 2018) Changed paths: A configure.ac R configure.in M perl_ext/Makefile.PL Log Message: ----------- Renamed configure.in to configure.ac Partial modernization of build scripts... Closes #139 **NOTE:** This service been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/ Functionality will be removed from GitHub.com on January 31st, 2019. |
|
From: GitHub <no...@gi...> - 2018-05-20 05:49:26
|
Branch: refs/heads/master Home: https://github.com/libming/libming Commit: 8dd118eac8a3c93c2f42089e7af4d7bb8cefd0b3 https://github.com/libming/libming/commit/8dd118eac8a3c93c2f42089e7af4d7bb8cefd0b3 Author: Hugo Lefeuvre <hl...@de...> Date: 2018-05-20 (Sun, 20 May 2018) Changed paths: M NEWS M util/decompile.c Log Message: ----------- Fix null pointer dereference in getName/getString Whenever getString or getName are called with an act such that act->p.String is a NULL pointer, a NULL pointer dereference might happen (strlen(act->p.string) is called). In this commit we add checks at the beginning of the PUSH_STRING block so that a warning is displayed and an empty string is returned in this case. This patch fixes #121. Commit: 30170828f1e8e4dff95af6e319b4ad59e64796d9 https://github.com/libming/libming/commit/30170828f1e8e4dff95af6e319b4ad59e64796d9 Author: Hugo Lefeuvre <hl...@de...> Date: 2018-05-20 (Sun, 20 May 2018) Changed paths: M NEWS M util/decompile.c Log Message: ----------- Fix heap-buffer-overflow in getString getString is allocating a 4-bytes buffer to store an 'R' and an 8-bit number. t=malloc(4); /* Rdd */ sprintf(t,"R%d", act->p.RegisterNumber ); return t; Since up to three digits can be required to store the 8-bit number, the buffer has to be 5 bytes long. In this commit we also fix the PUSH_DOUBLE case by dynamically computing the required buffer size. This commit fixes #116 (CVE-2018-7867). Commit: 6f1ab314684423be5c8bf29c73f65fadfbe71382 https://github.com/libming/libming/commit/6f1ab314684423be5c8bf29c73f65fadfbe71382 Author: Hugo Lefeuvre <hl...@de...> Date: 2018-05-20 (Sun, 20 May 2018) Changed paths: M NEWS M util/decompile.c Log Message: ----------- Perform deep copy in pushdup (instead of shallow) Until now, the element duplication in pushdup was performed via t->val = Stack->val. While this is perfectly fine for integer/double/register values, this may create nasty, hard to debug issues with Strings. In fact, when called with a String at the top of the stack, pushdup would only push *a reference* to the same String element (shallow copy), later allowing to modify several stack elements at once, which may potentially lead to NULL pointer dereferences or any other unspecified impact. In this patch we implement deep copy in pushdup: * If the type of the stack element is 's' (for String), we allocate a new buffer and copy the String into it. * Otherwise we simply proceed as before, that is we do t->val = Stack->val which is perfectly fine since we are not dealing with pointers. This patch is the last part of the patch for #121 (fixes #121), which should now be completely fixed. Compare: https://github.com/libming/libming/compare/50e2bf750fd8...6f1ab3146844 **NOTE:** This service been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/ Functionality will be removed from GitHub.com on January 31st, 2019. |
|
From: GitHub <no...@gi...> - 2018-03-13 07:36:05
|
Branch: refs/heads/master Home: https://github.com/libming/libming Commit: 50e2bf750fd857edc86dc06a0c615dbe5a166d71 https://github.com/libming/libming/commit/50e2bf750fd857edc86dc06a0c615dbe5a166d71 Author: Sandro Santilli <st...@kb...> Date: 2018-03-13 (Tue, 13 Mar 2018) Changed paths: M AUTHORS Log Message: ----------- Add Hugo Lefeuvre to AUTHORS |
|
From: GitHub <no...@gi...> - 2018-03-13 07:32:53
|
Branch: refs/heads/master Home: https://github.com/libming/libming Commit: 3a000c7b6fe978dd9925266bb6847709e06dbaa3 https://github.com/libming/libming/commit/3a000c7b6fe978dd9925266bb6847709e06dbaa3 Author: Hugo Lefeuvre <hl...@de...> Date: 2018-03-12 (Mon, 12 Mar 2018) Changed paths: M NEWS M util/decompile.c Log Message: ----------- Fix heap-buffer-overflows when accessing pool Constants are usually retrieved from the constant pool without verifying that the pool actually contains them, which may lead to various heap buffer overflow issues. In this patch we add a counter keeping track of how many elements the pool contains, and checks making sure that whenever the pool is accessed, the constant in present in the pool (constant position < pool counter). Also, do not return "" when a pointer is excepted (it should be legal to free this return value). This patch fixes #112 (CVE-2018-7875), fixes #120 (CVE-2018-7871), fixes #117 (CVE-2018-7870), fixes #114 (CVE-2018-7872), fixes #122, fixes #113 (CVE-2018-7868), fixes #123. Commit: eeca3fee7a005b9934330a5ce9e683ae21bd120e https://github.com/libming/libming/commit/eeca3fee7a005b9934330a5ce9e683ae21bd120e Author: Sandro Santilli <st...@kb...> Date: 2018-03-13 (Tue, 13 Mar 2018) Changed paths: M NEWS M util/decompile.c Log Message: ----------- Merge pull request #125 from hlef/master Fix various issues with pool management / access Compare: https://github.com/libming/libming/compare/c4d20b127bac...eeca3fee7a00 |
|
From: GitHub <no...@gi...> - 2018-03-11 22:04:00
|
Branch: refs/heads/master Home: https://github.com/libming/libming Commit: cff9a3bd2c428ad0cd8c8deb538031e11f29a0fe https://github.com/libming/libming/commit/cff9a3bd2c428ad0cd8c8deb538031e11f29a0fe Author: Hugo Lefeuvre <hl...@de...> Date: 2018-03-11 (Sun, 11 Mar 2018) Changed paths: M NEWS M util/listfdb.c Log Message: ----------- Fix heap buffer overflow in listfdb.c listfdb reads nGlyphs + 1 glyphs and stores them in an array of size nGlyphs*sizeof(int), resulting in a heap buffer overflow. In this commit we replace for(i=0; i<=nGlyphs; ++i) by for(i=0; i < nGlyphs; ++i) so that only nGlyphs glyphs are read. This patch addresses CVE-2018-6358 (fixes #104). Commit: c622cfcedef8c905776fcd9d70b8c1d115ba99b0 https://github.com/libming/libming/commit/c622cfcedef8c905776fcd9d70b8c1d115ba99b0 Author: Hugo Lefeuvre <hl...@de...> Date: 2018-03-11 (Sun, 11 Mar 2018) Changed paths: M NEWS M util/Makefile.am M util/listfdb.c M util/read.h Log Message: ----------- Fix code duplication issue in listfdb listfdb is shipping a large portion of duplicate code from the read module. This is a major security flaw given that the copied source code is affected by a large number of security issues (actually, almost all issues discovered in read.c for a long long time). In this patch we remove the duplicate code from listfdb. In order to do this we: - Link again read.h - Add the required dependency in util/Makefile.am - Make the bufbits variable extern in read.h This patch fixes #107 and #106 (and probably a *lot* of other issues). Commit: 03498cf4e0319d8836aba96ce8a817beaabb441e https://github.com/libming/libming/commit/03498cf4e0319d8836aba96ce8a817beaabb441e Author: Hugo Lefeuvre <hl...@de...> Date: 2018-03-11 (Sun, 11 Mar 2018) Changed paths: M NEWS M util/listfdb.c M util/main.c Log Message: ----------- Fix various compiler warnings. Remove useless variables blockstart, blockoffset and here. Commit: c4d20b127bac8cfd13fc7a965f3ffdf3d59e5793 https://github.com/libming/libming/commit/c4d20b127bac8cfd13fc7a965f3ffdf3d59e5793 Author: Sandro Santilli <st...@kb...> Date: 2018-03-11 (Sun, 11 Mar 2018) Changed paths: M NEWS M util/Makefile.am M util/listfdb.c M util/main.c M util/read.h Log Message: ----------- Merge pull request #124 from hlef/master Fix several issues in listfdb and some compiler warnings Compare: https://github.com/libming/libming/compare/dacce30cc095...c4d20b127bac |
|
From: GitHub <no...@gi...> - 2018-02-20 09:36:32
|
Branch: refs/heads/master Home: https://github.com/libming/libming Commit: f42fdb48986f29278907ab11f615b1c5d2f87530 https://github.com/libming/libming/commit/f42fdb48986f29278907ab11f615b1c5d2f87530 Author: Hugo Lefeuvre <hl...@de...> Date: 2018-02-19 (Mon, 19 Feb 2018) Changed paths: M NEWS M util/decompile.c Log Message: ----------- Fix heap-use-after-free in decompileIF The decompileIF function in util/decompile.c accesses actions array without checking the validity of n, the user entered index. This leads to heap-use-after-free issues when n is zero. This commit addresses this issue by using the OpCode function which does check input arguments. This commit fixes #105 (CVE-2018-6359). Commit: 9c53bf8e165c3a74e20f4c93b4ab6c05fe67f187 https://github.com/libming/libming/commit/9c53bf8e165c3a74e20f4c93b4ab6c05fe67f187 Author: Hugo Lefeuvre <hl...@de...> Date: 2018-02-19 (Mon, 19 Feb 2018) Changed paths: M NEWS M util/decompile.c Log Message: ----------- Use OpCode instead of directly accessing actions Instead of directly accessing the actions array without checks for the value of n (which may lead to heap buffer overflow etc, see #83 or #105), use the dedicated OpCode function. Commit: dacce30cc0950b0b01ee4fc8299130999708745a https://github.com/libming/libming/commit/dacce30cc0950b0b01ee4fc8299130999708745a Author: Sandro Santilli <st...@kb...> Date: 2018-02-20 (Tue, 20 Feb 2018) Changed paths: M NEWS M util/decompile.c Log Message: ----------- Merge pull request #108 from hlef/master Use OpCode instead of directly accessing actions Compare: https://github.com/libming/libming/compare/3120f1cdae0c...dacce30cc095 |
|
From: GitHub <no...@gi...> - 2018-01-27 08:02:05
|
Branch: refs/heads/master Home: https://github.com/libming/libming Commit: 3120f1cdae0c5232a4fb15e5ce42b8c455b43379 https://github.com/libming/libming/commit/3120f1cdae0c5232a4fb15e5ce42b8c455b43379 Author: Hugo Lefeuvre <hl...@de...> Date: 2018-01-27 (Sat, 27 Jan 2018) Changed paths: M NEWS M util/outputscript.c Log Message: ----------- Fix NULL pointer deref in outputSWF_TEXT_RECORD In outputSWF_TEXT_RECORD, the array offset is stored in a signed int, while (&(trec->GlyphEntries[i]))->GlyphIndex[0] returns an unsigned 32 bit number. This may lead to an integer overflow when reading the offset from the GlyphIndex array, and further to a buffer overflow when doing buffer[i]=fi->fontcodeptr[off] with negative off. In this commit, we change the type of off to unsigned long so we are guaranteed to be able to store 32 unsigned integers. This commit fixes CVE-2018-6315 (fixes #101). |
|
From: GitHub <no...@gi...> - 2018-01-17 10:17:42
|
Branch: refs/heads/master Home: https://github.com/libming/libming Commit: c14d07ef20c3f403fcfa59502b74c66933473431 https://github.com/libming/libming/commit/c14d07ef20c3f403fcfa59502b74c66933473431 Author: Hugo Lefeuvre <hl...@de...> Date: 2018-01-17 (Wed, 17 Jan 2018) Changed paths: M NEWS M util/read.c Log Message: ----------- Fix integer overflow vulnerability in util/read.c. This vulnerability is caused by a regression introduced in d468907. In this commit we cast the result of readUInt8(f) before left shifting by 24 in order to avoid out of range shift. This commit fixes CVE-2018-5251 (fixes #98). Commit: 9141f1df0d6ecb84f298633ba03569bbf5c842d0 https://github.com/libming/libming/commit/9141f1df0d6ecb84f298633ba03569bbf5c842d0 Author: Hugo Lefeuvre <hl...@de...> Date: 2018-01-17 (Wed, 17 Jan 2018) Changed paths: M NEWS M util/read.c Log Message: ----------- Fix left shift of a negative value in readSBits. Check for !number before left-shifting by (number-1). This commit fixes CVE-2018-5294 (fixes #97). Compare: https://github.com/libming/libming/compare/1df8bc2e6e28...9141f1df0d6e |
|
From: GitHub <no...@gi...> - 2018-01-10 12:19:54
|
Branch: refs/heads/master Home: https://github.com/libming/libming Commit: 6032557a21e4dac8bb2606bb5b58e27d85a7ff98 https://github.com/libming/libming/commit/6032557a21e4dac8bb2606bb5b58e27d85a7ff98 Author: Hugo Lefeuvre <hl...@de...> Date: 2018-01-10 (Wed, 10 Jan 2018) Changed paths: M NEWS M util/listmp3.c Log Message: ----------- Fix global buffer overflow in printMP3Headers. The printMP3Headers function in util/listmp3.c processes mp3 files without checking their bitrate values. This leads to bitrate_idx = 15 being used as index in mp2l23_bitrate_table[bitrate_idx] while mp2l23_bitrate_table has only 14 elements. In this commit we add a check rejecting mp3 files declaring invalid bitrates. This commit fixes CVE-2017-16898 (fixes: #75). Commit: 1df8bc2e6e286e1226204c01779c4020aa97725f https://github.com/libming/libming/commit/1df8bc2e6e286e1226204c01779c4020aa97725f Author: Sandro Santilli <st...@kb...> Date: 2018-01-10 (Wed, 10 Jan 2018) Changed paths: M NEWS M util/listmp3.c Log Message: ----------- Merge pull request #99 from hlef/master Fix global buffer overflow in printMP3Headers (CVE-2017-16898) Compare: https://github.com/libming/libming/compare/ded97d037322...1df8bc2e6e28 |
|
From: GitHub <no...@gi...> - 2017-12-05 16:29:27
|
Branch: refs/heads/master Home: https://github.com/libming/libming Commit: 726c2768805c8c95e8ad8e5f09eddc5b16570365 https://github.com/libming/libming/commit/726c2768805c8c95e8ad8e5f09eddc5b16570365 Author: Hugo Lefeuvre <hl...@de...> Date: 2017-12-05 (Tue, 05 Dec 2017) Changed paths: M NEWS M util/decompile.c Log Message: ----------- Fix buffer overflow in dcputs (buffer missing \0) The dcputs function appends passed string at the end of the global string buffer (dcstr), adapting the buffer's size if necessary. Unfortunately, the strsize variable which holds the global buffer's size is initialized to 0 in dcinit(), which means that no place for the \0 character is reserved. Hence, whenever dcputs tries to strcat a string to the global buffer, a byte may be missing leading to a heap buffer overflow. This commit addresses this issue (CVE-2017-11732, closes #80). Commit: ded97d0373222d3f6939ee4e786eef4605c5f80b https://github.com/libming/libming/commit/ded97d0373222d3f6939ee4e786eef4605c5f80b Author: Sandro Santilli <st...@kb...> Date: 2017-12-05 (Tue, 05 Dec 2017) Changed paths: M NEWS M util/decompile.c Log Message: ----------- Merge pull request #96 from hlef/master Fix buffer overflow in dcputs (buffer missing \0) Compare: https://github.com/libming/libming/compare/459fb480d9c8...ded97d037322 |
|
From: GitHub <no...@gi...> - 2017-11-24 20:48:31
|
Branch: refs/heads/master Home: https://github.com/libming/libming Commit: f3a66c6479d1191734b5ab57d5d7e0bd7525b1a7 https://github.com/libming/libming/commit/f3a66c6479d1191734b5ab57d5d7e0bd7525b1a7 Author: Hugo Lefeuvre <hl...@de...> Date: 2017-11-24 (Fri, 24 Nov 2017) Changed paths: M NEWS M util/outputscript.c Log Message: ----------- Fix NULL pointer deref in outputSWF_TEXT_RECORD fip and fip_current are static pointers to a linked list containing fonts information. This list and the two pointers are initialized and filled by saveFontInfo() (called by the outputSWF_DEFINEFONTxxxx() functions when defining new fonts). In the case where no font is defined, saveFontInfo() is never called and the two list pointers are NULL. This situation may trigger a NULL pointer dereference in outputSWF_TEXT_RECORD. In this patch, we check for !fip_current before dereferencing it. In the == NULL case, we print a warning and continue. This commit addresses CVE-2017-16883 (fixes #77). Commit: 459fb480d9c8f1d841d87b9f52049e41355165c4 https://github.com/libming/libming/commit/459fb480d9c8f1d841d87b9f52049e41355165c4 Author: Sandro Santilli <st...@kb...> Date: 2017-11-24 (Fri, 24 Nov 2017) Changed paths: M NEWS M util/outputscript.c Log Message: ----------- Merge pull request #94 from hlef/master Fix NULL pointer dereference in outputSWF_TEXT_RECORD (CVE-2017-16883) Compare: https://github.com/libming/libming/compare/fcb9fbf96a96...459fb480d9c8 |
|
From: GitHub <no...@gi...> - 2017-10-28 22:43:34
|
Branch: refs/heads/master Home: https://github.com/libming/libming Commit: eda5a20206862a11805303cdd125566c9f9f9103 https://github.com/libming/libming/commit/eda5a20206862a11805303cdd125566c9f9f9103 Author: Hugo Lefeuvre <hl...@de...> Date: 2017-10-23 (Mon, 23 Oct 2017) Changed paths: M NEWS M util/decompile.c Log Message: ----------- Fix null-pointer dereference issue in stackswap. Avoid processing stackswap when stack only contains one element. In this case, print a warning if debug mode is enabled, and return cleanly. This commit fixes CVE-2017-11733 (fixes #78). Commit: d468907a46a7ca42a78b0ac6f221172905be2fd6 https://github.com/libming/libming/commit/d468907a46a7ca42a78b0ac6f221172905be2fd6 Author: Hugo Lefeuvre <hl...@de...> Date: 2017-10-27 (Fri, 27 Oct 2017) Changed paths: M NEWS M util/read.c M util/read.h Log Message: ----------- Fix readSInt16, readUInt16 and readSInt32 methods * Rewrite readSInt16, readUInt16 and readSInt32. Avoid calling all read{U,S}Int8(f) in one line, order of evaluation is not guaranteed in the C standard (undefined behavior). * Change return type of readUInt16 from int to unsigned int. * Rewrite readUInt32. Use |= operator instead of adding four separate integers. Less memory usage, better readable. Commit: 8b29e8e7b321bbe102b3d543a7a5f20227371612 https://github.com/libming/libming/commit/8b29e8e7b321bbe102b3d543a7a5f20227371612 Author: Hugo Lefeuvre <hl...@de...> Date: 2017-10-27 (Fri, 27 Oct 2017) Changed paths: M NEWS M util/decompile.c Log Message: ----------- Un-define DEBUGSTACK (util/decompile.c) pop(), peek() and co. are designed to crash whenever the stack becomes NULL but this behavior is currently short-circuited by the DEBUGSTACK option, a debug option which allows further processing when Stack == NULL. With DEBUGSTACK defined, whenever the stack becomes NULL it is replaced by a dummy element like "// *** pop(): INTERNAL STACK ERROR FOUND ***". While this is an acceptable feature for debugging purposes, this is not something we want for production because it may lead other functions to crash (infinite loops, buffer over reads...) in an especially undebuggabble way. Commit: fcb9fbf96a96026fb656cebec53375a6dc94e8ad https://github.com/libming/libming/commit/fcb9fbf96a96026fb656cebec53375a6dc94e8ad Author: Sandro Santilli <st...@kb...> Date: 2017-10-29 (Sun, 29 Oct 2017) Changed paths: M NEWS M util/decompile.c M util/read.c M util/read.h Log Message: ----------- Merge pull request #93 from hlef/master Fix various issues related to CVE-2017-11733. Compare: https://github.com/libming/libming/compare/847b98979405...fcb9fbf96a96 |
|
From: GitHub <no...@gi...> - 2017-10-21 12:18:19
|
Branch: refs/heads/master Home: https://github.com/libming/libming Commit: 1a1d2704cb19f2d3299f042bb3a4783c960b0a9a https://github.com/libming/libming/commit/1a1d2704cb19f2d3299f042bb3a4783c960b0a9a Author: Hugo Lefeuvre <hl...@de...> Date: 2017-10-13 (Fri, 13 Oct 2017) Changed paths: M NEWS M util/read.c M util/read.h Log Message: ----------- Change type of size variable in readBytes size should have type unsigned long instead of int in order to avoid overflows and lossy casts when passing U30 integers. This commit fixes CVE-2017-9989 (fixes #86). Commit: 847b9897940521a325f491965737b7291603caf1 https://github.com/libming/libming/commit/847b9897940521a325f491965737b7291603caf1 Author: Hugo Lefeuvre <hl...@de...> Date: 2017-10-13 (Fri, 13 Oct 2017) Changed paths: M util/read.c Log Message: ----------- Avoid NULL pointer dereference in util/read.c. Make sure that buf isn't dereferenced if malloc failed. In this case, report error and abort. Compare: https://github.com/libming/libming/compare/447821c5cf76...847b98979405 |
2 messages has been excluded from this view by a project administrator.
