{"id":1008,"date":"2016-12-01T17:46:33","date_gmt":"2016-12-01T15:46:33","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=1008"},"modified":"2017-04-29T15:44:36","modified_gmt":"2017-04-29T13:44:36","slug":"libming-listswf-heap-based-buffer-overflow-in-parseswf_definefont-parser-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2016\/12\/01\/libming-listswf-heap-based-buffer-overflow-in-parseswf_definefont-parser-c\/","title":{"rendered":"libming: listswf: heap-based buffer overflow in parseSWF_DEFINEFONT (parser.c)"},"content":{"rendered":"

Description<\/strong>:
\nlibming<\/a> is a Flash (SWF) output library. It can be used from PHP, Perl, Ruby, Python, C, C++, Java, and probably more on the way..<\/p>\n

A fuzzing revealed an overflow in listswf. The bug does not reside in any shared object but if you have a web application that calls directly the listswf binary to parse untrusted swf, then you are affected.<\/p>\n

The complete ASan output:<\/p>\n

# listswf $FILE\r\nheader indicates a filesize of 237 but filesize is 272\r\nFile version: 6\r\nFile size: 272\r\nFrame size: (-4926252,-2829100)x(-2829100,-2829100)\r\nFrame rate: 166.648438 \/ sec.\r\nTotal frames: 42662\r\n\r\nOffset: 25 (0x0019)\r\nBlock type: 666 (Unknown Block Type)\r\nBlock length: 38\r\n\r\n\r\n0000: a6 a6 a6 a6 a6 a6 a6 a6  a6 a6 a6 a6 a6 c5 c5 c5    ........ ........\r\n0010: c5 c5 00 02 00 00 19 9a  02 ba 06 80 00 00 fe 38    ........ .......8\r\n0020: 01 00 a6 e3 80 29                                  .....)\r\n\r\n\r\n\r\nOffset: 65 (0x0041)\r\nBlock type: 149 (Unknown Block Type)\r\nBlock length: 55\r\n\r\n\r\n0000: dc 20 1c db 31 89 c7 ff  7f 0a d8 97 c5 c5 c5 c5    . ..1... .......\r\n0010: cb c5 ea fc 77 da c5 c5  c5 c5 c5 d3 d3 1a 19 9a    ....w... ........\r\n0020: 7a 38 df f6 a6 e3 80 40  77 a5 e3 00 ba f5 90 6f    z8.....@ w......o\r\n0030: d3 1a 5d f0 59 0e c2                               ..].Y..\r\n\r\n\r\n\r\nOffset: 122 (0x007a)\r\nBlock type: 896 (Unknown Block Type)\r\nBlock length: 47\r\n\r\n\r\n0000: 7f 41 41 41 67 67 18 9d  6d ea 3b 3f ff ff ba 06    AAAgg.. m.;?....\r\n0010: 80 00 00 fe 38 01 00 a6  e3 80 29 77 25 dc 20 1c    ....8... ..)w%. .\r\n0020: db 31 89 c7 ff 7f 0a d8  97 c5 c5 c5 c5 a6 2f       .1..... ......\/\r\n\r\n\r\n\r\nOffset: 171 (0x00ab)\r\nBlock type: 919 (Unknown Block Type)\r\nBlock length: 48\r\n\r\n\r\n0000: ab d2 20 65 ff fe 7f 7f  0b 1c 62 24 67 89 18 79    .. e.. ..b$g..y\r\n0010: a2 e3 2c 61 2a 2d c1 2c  37 a6 2f f0 e5 ab d2 20    ..,a*-., 7.\/.... \r\n0020: 65 65 65 65 65 c7 8e cb  0a d8 1b 75 85 c5 c5 03    eeeee... ...u....\r\n\r\n\r\n\r\nOffset: 221 (0x00dd)\r\nBlock type: 791 (Unknown Block Type)\r\nBlock length: 7\r\n\r\n\r\n0000: c5 b7 c5 d3 d3 1a 19                               .......\r\n\r\n\r\n=================================================================\r\n==634==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efb0 at pc 0x00000058582e bp 0x7fff1ed6df60 sp 0x7fff1ed6df58\r\nWRITE of size 2 at 0x60200000efb0 thread T0\r\n    #0 0x58582d in parseSWF_DEFINEFONT \/tmp\/portage\/media-libs\/ming-0.4.7\/work\/ming-0_4_7\/util\/parser.c:1656:29\r\n    #1 0x5302cb in blockParse \/tmp\/portage\/media-libs\/ming-0.4.7\/work\/ming-0_4_7\/util\/blocktypes.c:145:14\r\n    #2 0x527d4f in readMovie \/tmp\/portage\/media-libs\/ming-0.4.7\/work\/ming-0_4_7\/util\/main.c:265:11\r\n    #3 0x527d4f in main \/tmp\/portage\/media-libs\/ming-0.4.7\/work\/ming-0_4_7\/util\/main.c:350\r\n    #4 0x7fad6007961f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289\r\n    #5 0x419b38 in _init (\/usr\/bin\/listswf+0x419b38)\r\n\r\n0x60200000efb1 is located 0 bytes to the right of 1-byte region [0x60200000efb0,0x60200000efb1)\r\nallocated by thread T0 here:\r\n    #0 0x4d28f8 in malloc \/tmp\/portage\/sys-devel\/llvm-3.9.0-r1\/work\/llvm-3.9.0.src\/projects\/compiler-rt\/lib\/asan\/asan_malloc_linux.cc:64\r\n    #1 0x58532d in parseSWF_DEFINEFONT \/tmp\/portage\/media-libs\/ming-0.4.7\/work\/ming-0_4_7\/util\/parser.c:1655:36\r\n    #2 0x5302cb in blockParse \/tmp\/portage\/media-libs\/ming-0.4.7\/work\/ming-0_4_7\/util\/blocktypes.c:145:14\r\n    #3 0x527d4f in readMovie \/tmp\/portage\/media-libs\/ming-0.4.7\/work\/ming-0_4_7\/util\/main.c:265:11\r\n    #4 0x527d4f in main \/tmp\/portage\/media-libs\/ming-0.4.7\/work\/ming-0_4_7\/util\/main.c:350\r\n    #5 0x7fad6007961f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/tmp\/portage\/media-libs\/ming-0.4.7\/work\/ming-0_4_7\/util\/parser.c:1656:29 in parseSWF_DEFINEFONT\r\nShadow bytes around the buggy address:\r\n  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n=>0x0c047fff9df0: fa fa fa fa fa fa[01]fa fa fa 00 fa fa fa 07 fa\r\n  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n  Addressable:           00\r\n  Partially addressable: 01 02 03 04 05 06 07 \r\n  Heap left redzone:       fa\r\n  Heap right redzone:      fb\r\n  Freed heap region:       fd\r\n  Stack left redzone:      f1\r\n  Stack mid redzone:       f2\r\n  Stack right redzone:     f3\r\n  Stack partial redzone:   f4\r\n  Stack after return:      f5\r\n  Stack use after scope:   f8\r\n  Global redzone:          f9\r\n  Global init order:       f6\r\n  Poisoned by user:        f7\r\n  Container overflow:      fc\r\n  Array cookie:            ac\r\n  Intra object redzone:    bb\r\n  ASan internal:           fe\r\n  Left alloca redzone:     ca\r\n  Right alloca redzone:    cb\r\n==634==ABORTING\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\n0.4.7<\/p>\n
Fixed version:<\/strong>
\n0.4.8<\/p>\n
Commit fix:<\/strong>
\nhttps:\/\/github.com\/libming\/libming\/commit\/e397b5e6f947e2d18ec633c0ffd933b2f3097876<\/a><\/p>\n
Credit:<\/strong>
\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n
CVE:<\/strong>
\nCVE-2016-9829<\/p>\n
Reproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00075-libming-heapoverflow-parseSWF_DEFINEFONT<\/a><\/p>\n
Timeline:<\/strong>
\n2016-11-24: bug discovered and reported to upstream
\n2016-12-01: blog post about the issue
\n2016-12-05: CVE assigned
\n2017-01-30: upstream released a patch
\n2017-04-07: upstream released 0.4.8<\/p>\n
Note:<\/strong>
\nThis bug was found with American Fuzzy Lop<\/a>.<\/p>\n
Permalink:<\/strong><\/p>\n
libming: listswf: heap-based buffer overflow in parseSWF_DEFINEFONT (parser.c)<\/a><\/p><\/blockquote>\n