[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <2637042.StuLhmWT5T@arcadia>
Date: Thu, 01 Dec 2016 17:04:26 +0100
From: Agostino Sarubbo <ago@...too.org>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: libming: listswf: NULL pointer dereference in dumpBuffer (read.c)
If suitable for a CVE please assign one. Thanks.
Description:
libming is a Flash (SWF) output library. It can be used from PHP, Perl, Ruby,
Python, C, C++, Java, and probably more on the way..
A fuzzing revealed a null pointer access in listswf. The bug does not reside
in any shared object but if you have a web application that calls directly the
listswf binary to parse untrusted swf, then you are affected.
The complete ASan output:
# listswf $FILE
header indicates a filesize of 7917 but filesize is 187
File version: 100
File size: 187
Frame size: (8452,8981)x(-4096,0)
Frame rate: 67.851562 / sec.
Total frames: 16387
Stream out of sync after parse of blocktype 2 (SWF_DEFINESHAPE). 166 but
expecting 23.
Offset: 21 (0x0015)
Block type: 2 (SWF_DEFINESHAPE)
Block length: 0
CharacterID: 55319
RECT: (-2048,140)x(0,-1548):12
FillStyleArray: FillStyleCount: 18 FillStyleCountExtended: 0
FillStyle: FillStyleType: 0
RGBA: ( 0, 1,9a,ff)
FillStyle: FillStyleType: 7f
FillStyle: FillStyleType: b
FillStyle: FillStyleType: fb
FillStyle: FillStyleType: 82
FillStyle: FillStyleType: 24
FillStyle: FillStyleType: 67
FillStyle: FillStyleType: 67
FillStyle: FillStyleType: 18
FillStyle: FillStyleType: 9d
FillStyle: FillStyleType: 6d
FillStyle: FillStyleType: d7
FillStyle: FillStyleType: 97
FillStyle: FillStyleType: 1
FillStyle: FillStyleType: 26
FillStyle: FillStyleType: 1a
FillStyle: FillStyleType: 17
FillStyle: FillStyleType: 9a
LineStyleArray: LineStyleCount: 19
LineStyle: Width: 1722
RGBA: (7a,38,df,ff)
LineStyle: Width: 42742
RGBA: ( 0, 0, 0,ff)
LineStyle: Width: 70
RGBA: (10,91,64,ff)
LineStyle: Width: 37031
RGBA: (e7,c7,15,ff)
LineStyle: Width: 9591
RGBA: (dc,ee,81,ff)
LineStyle: Width: 4249
RGBA: ( 0,ee,ed,ff)
LineStyle: Width: 60909
RGBA: (ed,ed,ed,ff)
LineStyle: Width: 60909
RGBA: (ed,ed,ed,ff)
LineStyle: Width: 60909
RGBA: (ed,ed,ed,ff)
LineStyle: Width: 60909
RGBA: (ed,ed,ed,ff)
LineStyle: Width: 60909
RGBA: (ed,ed,ed,ff)
LineStyle: Width: 60909
RGBA: (ed,ed,a7,ff)
LineStyle: Width: 42919
RGBA: (a7,a7,9c,ff)
LineStyle: Width: 40092
RGBA: (9c,9c,9c,ff)
LineStyle: Width: 32156
RGBA: (9c,bc,9c,ff)
LineStyle: Width: 33948
RGBA: (9c,9c,9c,ff)
LineStyle: Width: 26404
RGBA: ( 0, c,80,ff)
LineStyle: Width: 42752
RGBA: (a7, 2, 2,ff)
LineStyle: Width: 514
RGBA: (c6, 2, 0,ff)
NumFillBits: 11
NumLineBits: 13
Curved EdgeRecord: 9 Control(-145,637) Anchor(-735,-1010)
Curved EdgeRecord: 7 Control(-177,156) Anchor(16,32)
StyleChangeRecord:
StateNewStyles: 0 StateLineStyle: 1 StateFillStyle1: 0
StateFillStyle0: 0 StateMoveTo: 0
LineStyle: 257
ENDSHAPE
Offset: 23 (0x0017)
Block type: 864 (Unknown Block Type)
Block length: 23
0000: 64 00 00 00 46 4f a3 12 00 00 01 9a 7f 0b fb 82 d...FO.. .......
0010: 24 67 67 18 9d 6d d7 $gg..m.
Offset: 48 (0x0030)
Block type: 6 (SWF_DEFINEBITS)
Block length: 23
CharacterID: 6694
Offset: 73 (0x0049)
Block type: 87 (SWF_DEFINEBINARYDATA)
Block length: 7
0000: ASAN:DEADLYSIGNAL
=================================================================
==27703==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x00000059d2ff bp 0x7ffe859e6fc0 sp 0x7ffe859e6f50 T0)
==27703==The signal is caused by a READ memory access.
==27703==Hint: address points to the zero page.
#0 0x59d2fe in dumpBuffer /tmp/portage/media-
libs/ming-0.4.7/work/ming-0_4_7/util/read.c:441:23
#1 0x51c305 in outputSWF_UNKNOWNBLOCK /tmp/portage/media-
libs/ming-0.4.7/work/ming-0_4_7/util/outputtxt.c:2870:3
#2 0x51c305 in outputBlock /tmp/portage/media-
libs/ming-0.4.7/work/ming-0_4_7/util/outputtxt.c:2937
#3 0x527e83 in readMovie /tmp/portage/media-
libs/ming-0.4.7/work/ming-0_4_7/util/main.c:277:4
#4 0x527e83 in main /tmp/portage/media-
libs/ming-0.4.7/work/ming-0_4_7/util/main.c:350
#5 0x7f0186c4461f in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
#6 0x419b38 in _init (/usr/bin/listswf+0x419b38)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-
libs/ming-0.4.7/work/ming-0_4_7/util/read.c:441:23 in dumpBuffer
==27703==ABORTING
Affected version:
0.4.7
Fixed version:
N/A
Commit fix:
N/A
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00078-libming-nullptr-dumpBuffer
Timeline:
2016-11-24: bug discovered and reported to upstream
2016-12-01: blog post about the issue
Note:
This bug was found with American Fuzzy Lop.
Permalink:
https://blogs.gentoo.org/ago/2016/12/01/libming-listswf-null-pointer-dereference-in-dumpbuffer-read-c
--
Agostino Sarubbo
Gentoo Linux Developer
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
