Description:
libming is a Flash (SWF) output library. It can be used from PHP, Perl, Ruby, Python, C, C++, Java, and probably more on the way..
A fuzzing revealed an overflow in listswf. The bug does not reside in any shared object but if you have a web application that calls directly the listswf binary to parse untrusted swf, then you are affected.
The complete ASan output:
# listswf $FILE header indicates a filesize of 237 but filesize is 191 File version: 6 File size: 191 Frame size: (3493,-4999)x(-5076,9541) Frame rate: 39.625000 / sec. Total frames: 33032 Stream out of sync after parse of blocktype 18 (SWF_SOUNDSTREAMHEAD). 29 but expecting 27. Offset: 21 (0x0015) Block type: 18 (SWF_SOUNDSTREAMHEAD) Block length: 4 PlaybackSoundRate 5.5 kHz PlaybackSoundSize 16 bit PlaybackSoundType stereo StreamSoundCompression MP3 StreamSoundRate 44 kHz StreamSoundSize error StreamSoundType mono StreamSoundSampleCount 10838 LatencySeek 53805 Offset: 27 (0x001b) Block type: 840 (Unknown Block Type) Block length: 45 0000: 2c 37 a6 30 3a 29 ab d2 54 6e 8e 88 0a f5 1b 6a ,7.0:).. Tn.....j 0010: a2 f7 a1 a3 a3 a1 e1 06 70 04 8e 90 82 03 40 47 ........ p.....@G 0020: e0 30 c6 a6 83 57 ac 46 4f 8a 91 76 07 .0...W.F O..v. Offset: 74 (0x004a) Block type: 514 (Unknown Block Type) Block length: 27 0000: b2 05 12 c2 3e 3a 01 20 d8 a7 7d 63 01 11 5c fc ....>:. ..}c..\. 0010: 15 8e 90 43 8f 64 8e 58 49 ad 95 ...C.d.X I.. Offset: 103 (0x0067) Block type: 297 (Unknown Block Type) Block length: 20 0000: 27 79 a2 e3 2c 56 2a 2d d2 2c 37 a6 30 3a 29 ab 'y..,V*- .,7.0:). 0010: d2 54 6e 8e .Tn. skipping 8 bytes Offset: 125 (0x007d) Block type: 42 (SWF_DEFINETEXTFORMAT) Block length: 8 255 gradients in SWF_MORPHGRADiENT, expected a max of 8================================================================= ==31250==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62400000df10 at pc 0x00000057f342 bp 0x7ffe24b21ef0 sp 0x7ffe24b21ee8 WRITE of size 1 at 0x62400000df10 thread T0 #0 0x57f341 in parseSWF_RGBA /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/parser.c:66:12 #1 0x57f341 in parseSWF_MORPHGRADIENTRECORD /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/parser.c:746 #2 0x57f341 in parseSWF_MORPHGRADIENT /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/parser.c:761 #3 0x57e25a in parseSWF_MORPHFILLSTYLE /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/parser.c:777:7 #4 0x58b9b8 in parseSWF_MORPHFILLSTYLES /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/parser.c:804:7 #5 0x58b9b8 in parseSWF_DEFINEMORPHSHAPE /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/parser.c:2098 #6 0x5302cb in blockParse /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/blocktypes.c:145:14 #7 0x527d4f in readMovie /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/main.c:265:11 #8 0x527d4f in main /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/main.c:350 #9 0x7f39cc7da61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #10 0x419b38 in _init (/usr/bin/listswf+0x419b38) 0x62400000df10 is located 0 bytes to the right of 7696-byte region [0x62400000c100,0x62400000df10) allocated by thread T0 here: #0 0x4d2af5 in calloc /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:72 #1 0x58b90a in parseSWF_MORPHFILLSTYLES /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/parser.c:801:28 #2 0x58b90a in parseSWF_DEFINEMORPHSHAPE /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/parser.c:2098 #3 0x5302cb in blockParse /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/blocktypes.c:145:14 #4 0x527d4f in readMovie /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/main.c:265:11 #5 0x527d4f in main /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/main.c:350 #6 0x7f39cc7da61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/parser.c:66:12 in parseSWF_RGBA Shadow bytes around the buggy address: 0x0c487fff9b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c487fff9ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c487fff9bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c487fff9bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c487fff9bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c487fff9be0: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c487fff9bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c487fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c487fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c487fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c487fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==31250==ABORTING
Affected version:
0.4.7
Fixed version:
0.4.8
Commit fix:
https://github.com/libming/libming/commit/94b25ed1b038b5392fdaa6b845f6f501aba54130
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2016-9831
Reproducer:
https://github.com/asarubbo/poc/blob/master/00076-libming-heapoverflow-parseSWF_RGBA
Timeline:
2016-11-24: bug discovered and reported to upstream
2016-12-01: blog post about the issue
2016-12-05: CVE assigned
2017-01-30: upstream released a patch
2017-04-07: upstream released 0.4.8
Note:
This bug was found with American Fuzzy Lop.
Permalink:
libming: listswf: heap-based buffer overflow in parseSWF_RGBA (parser.c)