Description:
libming is a Flash (SWF) output library. It can be used from PHP, Perl, Ruby, Python, C, C++, Java, and probably more on the way..
A fuzzing revealed a null pointer access in listswf. The bug does not reside in any shared object but if you have a web application that calls directly the listswf binary to parse untrusted swf, then you are affected.
The complete ASan output:
# listswf $FILE header indicates a filesize of 7917 but filesize is 187 File version: 100 File size: 187 Frame size: (8452,8981)x(-4096,0) Frame rate: 67.851562 / sec. Total frames: 16387 Stream out of sync after parse of blocktype 2 (SWF_DEFINESHAPE). 166 but expecting 23. Offset: 21 (0x0015) Block type: 2 (SWF_DEFINESHAPE) Block length: 0 CharacterID: 55319 RECT: (-2048,140)x(0,-1548):12 FillStyleArray: FillStyleCount: 18 FillStyleCountExtended: 0 FillStyle: FillStyleType: 0 RGBA: ( 0, 1,9a,ff) FillStyle: FillStyleType: 7f FillStyle: FillStyleType: b FillStyle: FillStyleType: fb FillStyle: FillStyleType: 82 FillStyle: FillStyleType: 24 FillStyle: FillStyleType: 67 FillStyle: FillStyleType: 67 FillStyle: FillStyleType: 18 FillStyle: FillStyleType: 9d FillStyle: FillStyleType: 6d FillStyle: FillStyleType: d7 FillStyle: FillStyleType: 97 FillStyle: FillStyleType: 1 FillStyle: FillStyleType: 26 FillStyle: FillStyleType: 1a FillStyle: FillStyleType: 17 FillStyle: FillStyleType: 9a LineStyleArray: LineStyleCount: 19 LineStyle: Width: 1722 RGBA: (7a,38,df,ff) LineStyle: Width: 42742 RGBA: ( 0, 0, 0,ff) LineStyle: Width: 70 RGBA: (10,91,64,ff) LineStyle: Width: 37031 RGBA: (e7,c7,15,ff) LineStyle: Width: 9591 RGBA: (dc,ee,81,ff) LineStyle: Width: 4249 RGBA: ( 0,ee,ed,ff) LineStyle: Width: 60909 RGBA: (ed,ed,ed,ff) LineStyle: Width: 60909 RGBA: (ed,ed,ed,ff) LineStyle: Width: 60909 RGBA: (ed,ed,ed,ff) LineStyle: Width: 60909 RGBA: (ed,ed,ed,ff) LineStyle: Width: 60909 RGBA: (ed,ed,ed,ff) LineStyle: Width: 60909 RGBA: (ed,ed,a7,ff) LineStyle: Width: 42919 RGBA: (a7,a7,9c,ff) LineStyle: Width: 40092 RGBA: (9c,9c,9c,ff) LineStyle: Width: 32156 RGBA: (9c,bc,9c,ff) LineStyle: Width: 33948 RGBA: (9c,9c,9c,ff) LineStyle: Width: 26404 RGBA: ( 0, c,80,ff) LineStyle: Width: 42752 RGBA: (a7, 2, 2,ff) LineStyle: Width: 514 RGBA: (c6, 2, 0,ff) NumFillBits: 11 NumLineBits: 13 Curved EdgeRecord: 9 Control(-145,637) Anchor(-735,-1010) Curved EdgeRecord: 7 Control(-177,156) Anchor(16,32) StyleChangeRecord: StateNewStyles: 0 StateLineStyle: 1 StateFillStyle1: 0 StateFillStyle0: 0 StateMoveTo: 0 LineStyle: 257 ENDSHAPE Offset: 23 (0x0017) Block type: 864 (Unknown Block Type) Block length: 23 0000: 64 00 00 00 46 4f a3 12 00 00 01 9a 7f 0b fb 82 d...FO.. ....... 0010: 24 67 67 18 9d 6d d7 $gg..m. Offset: 48 (0x0030) Block type: 6 (SWF_DEFINEBITS) Block length: 23 CharacterID: 6694 Offset: 73 (0x0049) Block type: 87 (SWF_DEFINEBINARYDATA) Block length: 7 0000: ASAN:DEADLYSIGNAL ================================================================= ==27703==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000059d2ff bp 0x7ffe859e6fc0 sp 0x7ffe859e6f50 T0) ==27703==The signal is caused by a READ memory access. ==27703==Hint: address points to the zero page. #0 0x59d2fe in dumpBuffer /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/read.c:441:23 #1 0x51c305 in outputSWF_UNKNOWNBLOCK /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/outputtxt.c:2870:3 #2 0x51c305 in outputBlock /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/outputtxt.c:2937 #3 0x527e83 in readMovie /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/main.c:277:4 #4 0x527e83 in main /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/main.c:350 #5 0x7f0186c4461f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #6 0x419b38 in _init (/usr/bin/listswf+0x419b38) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/read.c:441:23 in dumpBuffer ==27703==ABORTING
Affected version:
0.4.7
Fixed version:
0.4.8
Commit fix:
https://github.com/libming/libming/commit/80ebea953f0da0a5206bfaf02d5396d292e91a3a
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2016-9828
Reproducer:
https://github.com/asarubbo/poc/blob/master/00078-libming-nullptr-dumpBuffer
Timeline:
2016-11-24: bug discovered and reported to upstream
2016-12-01: blog post about the issue
2016-12-05: CVE assigned
2017-01-30: upstream released a patch
2017-04-07: upstream released 0.4.8
Note:
This bug was found with American Fuzzy Lop.
Permalink:
libming: listswf: NULL pointer dereference in dumpBuffer (read.c)