Description:
libming is a Flash (SWF) output library. It can be used from PHP, Perl, Ruby, Python, C, C++, Java, and probably more on the way..
A fuzzing revealed an overflow in listswf. The bug does not reside in any shared object but if you have a web application that calls directly the listswf binary to parse untrusted swf, then you are affected.
The complete ASan output:
# listswf $FILE
header indicates a filesize of 237 but filesize is 191
File version: 6
File size: 191
Frame size: (3493,-4999)x(-5076,9541)
Frame rate: 39.625000 / sec.
Total frames: 33032
Stream out of sync after parse of blocktype 18 (SWF_SOUNDSTREAMHEAD). 29 but expecting 27.
Offset: 21 (0x0015)
Block type: 18 (SWF_SOUNDSTREAMHEAD)
Block length: 4
PlaybackSoundRate 5.5 kHz
PlaybackSoundSize 16 bit
PlaybackSoundType stereo
StreamSoundCompression MP3
StreamSoundRate 44 kHz
StreamSoundSize error
StreamSoundType mono
StreamSoundSampleCount 10838
LatencySeek 53805
Offset: 27 (0x001b)
Block type: 840 (Unknown Block Type)
Block length: 45
0000: 2c 37 a6 30 3a 29 ab d2 54 6e 8e 88 0a f5 1b 6a ,7.0:).. Tn.....j
0010: a2 f7 a1 a3 a3 a1 e1 06 70 04 8e 90 82 03 40 47 ........ p.....@G
0020: e0 30 c6 a6 83 57 ac 46 4f 8a 91 76 07 .0...W.F O..v.
Offset: 74 (0x004a)
Block type: 514 (Unknown Block Type)
Block length: 27
0000: b2 05 12 c2 3e 3a 01 20 d8 a7 7d 63 01 11 5c fc ....>:. ..}c..\.
0010: 15 8e 90 43 8f 64 8e 58 49 ad 95 ...C.d.X I..
Offset: 103 (0x0067)
Block type: 297 (Unknown Block Type)
Block length: 20
0000: 27 79 a2 e3 2c 56 2a 2d d2 2c 37 a6 30 3a 29 ab 'y..,V*- .,7.0:).
0010: d2 54 6e 8e .Tn.
skipping 8 bytes
Offset: 125 (0x007d)
Block type: 42 (SWF_DEFINETEXTFORMAT)
Block length: 8
255 gradients in SWF_MORPHGRADiENT, expected a max of 8=================================================================
==31250==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62400000df10 at pc 0x00000057f342 bp 0x7ffe24b21ef0 sp 0x7ffe24b21ee8
WRITE of size 1 at 0x62400000df10 thread T0
#0 0x57f341 in parseSWF_RGBA /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/parser.c:66:12
#1 0x57f341 in parseSWF_MORPHGRADIENTRECORD /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/parser.c:746
#2 0x57f341 in parseSWF_MORPHGRADIENT /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/parser.c:761
#3 0x57e25a in parseSWF_MORPHFILLSTYLE /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/parser.c:777:7
#4 0x58b9b8 in parseSWF_MORPHFILLSTYLES /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/parser.c:804:7
#5 0x58b9b8 in parseSWF_DEFINEMORPHSHAPE /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/parser.c:2098
#6 0x5302cb in blockParse /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/blocktypes.c:145:14
#7 0x527d4f in readMovie /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/main.c:265:11
#8 0x527d4f in main /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/main.c:350
#9 0x7f39cc7da61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
#10 0x419b38 in _init (/usr/bin/listswf+0x419b38)
0x62400000df10 is located 0 bytes to the right of 7696-byte region [0x62400000c100,0x62400000df10)
allocated by thread T0 here:
#0 0x4d2af5 in calloc /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:72
#1 0x58b90a in parseSWF_MORPHFILLSTYLES /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/parser.c:801:28
#2 0x58b90a in parseSWF_DEFINEMORPHSHAPE /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/parser.c:2098
#3 0x5302cb in blockParse /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/blocktypes.c:145:14
#4 0x527d4f in readMovie /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/main.c:265:11
#5 0x527d4f in main /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/main.c:350
#6 0x7f39cc7da61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/parser.c:66:12 in parseSWF_RGBA
Shadow bytes around the buggy address:
0x0c487fff9b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c487fff9ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c487fff9bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c487fff9bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c487fff9bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c487fff9be0: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c487fff9bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c487fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c487fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c487fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c487fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==31250==ABORTING
Affected version:
0.4.7
Fixed version:
0.4.8
Commit fix:
https://github.com/libming/libming/commit/94b25ed1b038b5392fdaa6b845f6f501aba54130
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2016-9831
Reproducer:
https://github.com/asarubbo/poc/blob/master/00076-libming-heapoverflow-parseSWF_RGBA
Timeline:
2016-11-24: bug discovered and reported to upstream
2016-12-01: blog post about the issue
2016-12-05: CVE assigned
2017-01-30: upstream released a patch
2017-04-07: upstream released 0.4.8
Note:
This bug was found with American Fuzzy Lop.
Permalink:
libming: listswf: heap-based buffer overflow in parseSWF_RGBA (parser.c)