Description:
libming is a Flash (SWF) output library. It can be used from PHP, Perl, Ruby, Python, C, C++, Java, and probably more on the way..
A fuzzing revealed an overflow in listswf. The bug does not reside in any shared object but if you have a web application that calls directly the listswf binary to parse untrusted swf, then you are affected.
The complete ASan output:
# listswf $FILE
header indicates a filesize of 237 but filesize is 272
File version: 6
File size: 272
Frame size: (-4926252,-2829100)x(-2829100,-2829100)
Frame rate: 166.648438 / sec.
Total frames: 42662
Offset: 25 (0x0019)
Block type: 666 (Unknown Block Type)
Block length: 38
0000: a6 a6 a6 a6 a6 a6 a6 a6 a6 a6 a6 a6 a6 c5 c5 c5 ........ ........
0010: c5 c5 00 02 00 00 19 9a 02 ba 06 80 00 00 fe 38 ........ .......8
0020: 01 00 a6 e3 80 29 .....)
Offset: 65 (0x0041)
Block type: 149 (Unknown Block Type)
Block length: 55
0000: dc 20 1c db 31 89 c7 ff 7f 0a d8 97 c5 c5 c5 c5 . ..1... .......
0010: cb c5 ea fc 77 da c5 c5 c5 c5 c5 d3 d3 1a 19 9a ....w... ........
0020: 7a 38 df f6 a6 e3 80 40 77 a5 e3 00 ba f5 90 6f z8.....@ w......o
0030: d3 1a 5d f0 59 0e c2 ..].Y..
Offset: 122 (0x007a)
Block type: 896 (Unknown Block Type)
Block length: 47
0000: 7f 41 41 41 67 67 18 9d 6d ea 3b 3f ff ff ba 06 AAAgg.. m.;?....
0010: 80 00 00 fe 38 01 00 a6 e3 80 29 77 25 dc 20 1c ....8... ..)w%. .
0020: db 31 89 c7 ff 7f 0a d8 97 c5 c5 c5 c5 a6 2f .1..... ....../
Offset: 171 (0x00ab)
Block type: 919 (Unknown Block Type)
Block length: 48
0000: ab d2 20 65 ff fe 7f 7f 0b 1c 62 24 67 89 18 79 .. e.. ..b$g..y
0010: a2 e3 2c 61 2a 2d c1 2c 37 a6 2f f0 e5 ab d2 20 ..,a*-., 7./....
0020: 65 65 65 65 65 c7 8e cb 0a d8 1b 75 85 c5 c5 03 eeeee... ...u....
Offset: 221 (0x00dd)
Block type: 791 (Unknown Block Type)
Block length: 7
0000: c5 b7 c5 d3 d3 1a 19 .......
=================================================================
==634==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efb0 at pc 0x00000058582e bp 0x7fff1ed6df60 sp 0x7fff1ed6df58
WRITE of size 2 at 0x60200000efb0 thread T0
#0 0x58582d in parseSWF_DEFINEFONT /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/parser.c:1656:29
#1 0x5302cb in blockParse /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/blocktypes.c:145:14
#2 0x527d4f in readMovie /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/main.c:265:11
#3 0x527d4f in main /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/main.c:350
#4 0x7fad6007961f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
#5 0x419b38 in _init (/usr/bin/listswf+0x419b38)
0x60200000efb1 is located 0 bytes to the right of 1-byte region [0x60200000efb0,0x60200000efb1)
allocated by thread T0 here:
#0 0x4d28f8 in malloc /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
#1 0x58532d in parseSWF_DEFINEFONT /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/parser.c:1655:36
#2 0x5302cb in blockParse /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/blocktypes.c:145:14
#3 0x527d4f in readMovie /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/main.c:265:11
#4 0x527d4f in main /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/main.c:350
#5 0x7fad6007961f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/parser.c:1656:29 in parseSWF_DEFINEFONT
Shadow bytes around the buggy address:
0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa[01]fa fa fa 00 fa fa fa 07 fa
0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==634==ABORTING
Affected version:
0.4.7
Fixed version:
0.4.8
Commit fix:
https://github.com/libming/libming/commit/e397b5e6f947e2d18ec633c0ffd933b2f3097876
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2016-9829
Reproducer:
https://github.com/asarubbo/poc/blob/master/00075-libming-heapoverflow-parseSWF_DEFINEFONT
Timeline:
2016-11-24: bug discovered and reported to upstream
2016-12-01: blog post about the issue
2016-12-05: CVE assigned
2017-01-30: upstream released a patch
2017-04-07: upstream released 0.4.8
Note:
This bug was found with American Fuzzy Lop.
Permalink:
libming: listswf: heap-based buffer overflow in parseSWF_DEFINEFONT (parser.c)