Description:
libming is a Flash (SWF) output library. It can be used from PHP, Perl, Ruby, Python, C, C++, Java, and probably more on the way..
A fuzzing revealed an overflow in listswf. The bug does not reside in any shared object but if you have a web application that calls directly the listswf binary to parse untrusted swf, then you are affected.
The complete ASan output:
# listswf $FILE header indicates a filesize of 237 but filesize is 272 File version: 6 File size: 272 Frame size: (-4926252,-2829100)x(-2829100,-2829100) Frame rate: 166.648438 / sec. Total frames: 42662 Offset: 25 (0x0019) Block type: 666 (Unknown Block Type) Block length: 38 0000: a6 a6 a6 a6 a6 a6 a6 a6 a6 a6 a6 a6 a6 c5 c5 c5 ........ ........ 0010: c5 c5 00 02 00 00 19 9a 02 ba 06 80 00 00 fe 38 ........ .......8 0020: 01 00 a6 e3 80 29 .....) Offset: 65 (0x0041) Block type: 149 (Unknown Block Type) Block length: 55 0000: dc 20 1c db 31 89 c7 ff 7f 0a d8 97 c5 c5 c5 c5 . ..1... ....... 0010: cb c5 ea fc 77 da c5 c5 c5 c5 c5 d3 d3 1a 19 9a ....w... ........ 0020: 7a 38 df f6 a6 e3 80 40 77 a5 e3 00 ba f5 90 6f z8.....@ w......o 0030: d3 1a 5d f0 59 0e c2 ..].Y.. Offset: 122 (0x007a) Block type: 896 (Unknown Block Type) Block length: 47 0000: 7f 41 41 41 67 67 18 9d 6d ea 3b 3f ff ff ba 06 AAAgg.. m.;?.... 0010: 80 00 00 fe 38 01 00 a6 e3 80 29 77 25 dc 20 1c ....8... ..)w%. . 0020: db 31 89 c7 ff 7f 0a d8 97 c5 c5 c5 c5 a6 2f .1..... ....../ Offset: 171 (0x00ab) Block type: 919 (Unknown Block Type) Block length: 48 0000: ab d2 20 65 ff fe 7f 7f 0b 1c 62 24 67 89 18 79 .. e.. ..b$g..y 0010: a2 e3 2c 61 2a 2d c1 2c 37 a6 2f f0 e5 ab d2 20 ..,a*-., 7./.... 0020: 65 65 65 65 65 c7 8e cb 0a d8 1b 75 85 c5 c5 03 eeeee... ...u.... Offset: 221 (0x00dd) Block type: 791 (Unknown Block Type) Block length: 7 0000: c5 b7 c5 d3 d3 1a 19 ....... ================================================================= ==634==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efb0 at pc 0x00000058582e bp 0x7fff1ed6df60 sp 0x7fff1ed6df58 WRITE of size 2 at 0x60200000efb0 thread T0 #0 0x58582d in parseSWF_DEFINEFONT /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/parser.c:1656:29 #1 0x5302cb in blockParse /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/blocktypes.c:145:14 #2 0x527d4f in readMovie /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/main.c:265:11 #3 0x527d4f in main /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/main.c:350 #4 0x7fad6007961f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #5 0x419b38 in _init (/usr/bin/listswf+0x419b38) 0x60200000efb1 is located 0 bytes to the right of 1-byte region [0x60200000efb0,0x60200000efb1) allocated by thread T0 here: #0 0x4d28f8 in malloc /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64 #1 0x58532d in parseSWF_DEFINEFONT /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/parser.c:1655:36 #2 0x5302cb in blockParse /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/blocktypes.c:145:14 #3 0x527d4f in readMovie /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/main.c:265:11 #4 0x527d4f in main /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/main.c:350 #5 0x7fad6007961f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/parser.c:1656:29 in parseSWF_DEFINEFONT Shadow bytes around the buggy address: 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff9df0: fa fa fa fa fa fa[01]fa fa fa 00 fa fa fa 07 fa 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==634==ABORTING
Affected version:
0.4.7
Fixed version:
0.4.8
Commit fix:
https://github.com/libming/libming/commit/e397b5e6f947e2d18ec633c0ffd933b2f3097876
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2016-9829
Reproducer:
https://github.com/asarubbo/poc/blob/master/00075-libming-heapoverflow-parseSWF_DEFINEFONT
Timeline:
2016-11-24: bug discovered and reported to upstream
2016-12-01: blog post about the issue
2016-12-05: CVE assigned
2017-01-30: upstream released a patch
2017-04-07: upstream released 0.4.8
Note:
This bug was found with American Fuzzy Lop.
Permalink:
libming: listswf: heap-based buffer overflow in parseSWF_DEFINEFONT (parser.c)