{"id":1011,"date":"2016-12-01T17:53:48","date_gmt":"2016-12-01T15:53:48","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=1011"},"modified":"2017-04-29T15:43:56","modified_gmt":"2017-04-29T13:43:56","slug":"libming-listswf-null-pointer-dereference-in-dumpbuffer-read-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2016\/12\/01\/libming-listswf-null-pointer-dereference-in-dumpbuffer-read-c\/","title":{"rendered":"libming: listswf: NULL pointer dereference in dumpBuffer (read.c)"},"content":{"rendered":"

Description<\/strong>:
\nlibming<\/a> is a Flash (SWF) output library. It can be used from PHP, Perl, Ruby, Python, C, C++, Java, and probably more on the way..<\/p>\n

A fuzzing revealed a null pointer access in listswf. The bug does not reside in any shared object but if you have a web application that calls directly the listswf binary to parse untrusted swf, then you are affected.<\/p>\n

The complete ASan output:<\/p>\n

# listswf $FILE\r\nheader indicates a filesize of 7917 but filesize is 187\r\nFile version: 100\r\nFile size: 187\r\nFrame size: (8452,8981)x(-4096,0)\r\nFrame rate: 67.851562 \/ sec.\r\nTotal frames: 16387\r\n Stream out of sync after parse of blocktype 2 (SWF_DEFINESHAPE). 166 but expecting 23.\r\n\r\nOffset: 21 (0x0015)\r\nBlock type: 2 (SWF_DEFINESHAPE)\r\nBlock length: 0\r\n\r\n CharacterID: 55319\r\n RECT:  (-2048,140)x(0,-1548):12\r\n FillStyleArray:  FillStyleCount:     18  FillStyleCountExtended:      0\r\n FillStyle:  FillStyleType: 0\r\n RGBA: ( 0, 1,9a,ff)\r\n FillStyle:  FillStyleType: 7f\r\n FillStyle:  FillStyleType: b\r\n FillStyle:  FillStyleType: fb\r\n FillStyle:  FillStyleType: 82                                                                                                                                                                 \r\n FillStyle:  FillStyleType: 24                                                                                                                                                                 \r\n FillStyle:  FillStyleType: 67                                                                                                                                                                 \r\n FillStyle:  FillStyleType: 67                                                                                                                                                                 \r\n FillStyle:  FillStyleType: 18                                                                                                                                                                 \r\n FillStyle:  FillStyleType: 9d                                                                                                                                                                 \r\n FillStyle:  FillStyleType: 6d                                                                                                                                                                 \r\n FillStyle:  FillStyleType: d7                                                                                                                                                                 \r\n FillStyle:  FillStyleType: 97                                                                                                                                                                 \r\n FillStyle:  FillStyleType: 1                                                                                                                                                                  \r\n FillStyle:  FillStyleType: 26                                                                                                                                                                 \r\n FillStyle:  FillStyleType: 1a                                                                                                                                                                 \r\n FillStyle:  FillStyleType: 17                                                                                                                                                                 \r\n FillStyle:  FillStyleType: 9a                                                                                                                                                                 \r\n LineStyleArray:  LineStyleCount: 19                                                                                                                                                           \r\n LineStyle:  Width: 1722                                                                                                                                                                       \r\n RGBA: (7a,38,df,ff)                                                                                                                                                                           \r\n LineStyle:  Width: 42742                                                                                                                                                                      \r\n RGBA: ( 0, 0, 0,ff)                                                                                                                                                                           \r\n LineStyle:  Width: 70                                                                                                                                                                         \r\n RGBA: (10,91,64,ff)                                                                                                                                                                           \r\n LineStyle:  Width: 37031                                                                                                                                                                      \r\n RGBA: (e7,c7,15,ff)                                                                                                                                                                           \r\n LineStyle:  Width: 9591                                                                                                                                                                       \r\n RGBA: (dc,ee,81,ff)                                                                                                                                                                           \r\n LineStyle:  Width: 4249                                                                                                                                                                       \r\n RGBA: ( 0,ee,ed,ff)                                                                                                                                                                           \r\n LineStyle:  Width: 60909                                                                                                                                                                      \r\n RGBA: (ed,ed,ed,ff)                                                                                                                                                                           \r\n LineStyle:  Width: 60909\r\n RGBA: (ed,ed,ed,ff)\r\n LineStyle:  Width: 60909\r\n RGBA: (ed,ed,ed,ff)\r\n LineStyle:  Width: 60909\r\n RGBA: (ed,ed,ed,ff)\r\n LineStyle:  Width: 60909\r\n RGBA: (ed,ed,ed,ff)\r\n LineStyle:  Width: 60909\r\n RGBA: (ed,ed,a7,ff)\r\n LineStyle:  Width: 42919\r\n RGBA: (a7,a7,9c,ff)\r\n LineStyle:  Width: 40092\r\n RGBA: (9c,9c,9c,ff)\r\n LineStyle:  Width: 32156\r\n RGBA: (9c,bc,9c,ff)\r\n LineStyle:  Width: 33948\r\n RGBA: (9c,9c,9c,ff)\r\n LineStyle:  Width: 26404\r\n RGBA: ( 0, c,80,ff)\r\n LineStyle:  Width: 42752\r\n RGBA: (a7, 2, 2,ff)\r\n LineStyle:  Width: 514\r\n RGBA: (c6, 2, 0,ff)\r\n NumFillBits: 11\r\n NumLineBits: 13\r\n Curved EdgeRecord: 9 Control(-145,637) Anchor(-735,-1010)\r\n Curved EdgeRecord: 7 Control(-177,156) Anchor(16,32)\r\n StyleChangeRecord:\r\n  StateNewStyles: 0 StateLineStyle: 1  StateFillStyle1: 0\r\n  StateFillStyle0: 0 StateMoveTo: 0\r\n   LineStyle: 257\r\n  ENDSHAPE\r\n\r\nOffset: 23 (0x0017)\r\nBlock type: 864 (Unknown Block Type)\r\nBlock length: 23\r\n\r\n\r\n0000: 64 00 00 00 46 4f a3 12  00 00 01 9a 7f 0b fb 82    d...FO.. .......\r\n0010: 24 67 67 18 9d 6d d7                               $gg..m.\r\n\r\n\r\n\r\nOffset: 48 (0x0030)\r\nBlock type: 6 (SWF_DEFINEBITS)\r\nBlock length: 23\r\n\r\n CharacterID: 6694\r\n\r\nOffset: 73 (0x0049)\r\nBlock type: 87 (SWF_DEFINEBINARYDATA)\r\nBlock length: 7\r\n\r\n\r\n0000: ASAN:DEADLYSIGNAL\r\n=================================================================\r\n==27703==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000059d2ff bp 0x7ffe859e6fc0 sp 0x7ffe859e6f50 T0)\r\n==27703==The signal is caused by a READ memory access.\r\n==27703==Hint: address points to the zero page.\r\n    #0 0x59d2fe in dumpBuffer \/tmp\/portage\/media-libs\/ming-0.4.7\/work\/ming-0_4_7\/util\/read.c:441:23\r\n    #1 0x51c305 in outputSWF_UNKNOWNBLOCK \/tmp\/portage\/media-libs\/ming-0.4.7\/work\/ming-0_4_7\/util\/outputtxt.c:2870:3\r\n    #2 0x51c305 in outputBlock \/tmp\/portage\/media-libs\/ming-0.4.7\/work\/ming-0_4_7\/util\/outputtxt.c:2937\r\n    #3 0x527e83 in readMovie \/tmp\/portage\/media-libs\/ming-0.4.7\/work\/ming-0_4_7\/util\/main.c:277:4\r\n    #4 0x527e83 in main \/tmp\/portage\/media-libs\/ming-0.4.7\/work\/ming-0_4_7\/util\/main.c:350\r\n    #5 0x7f0186c4461f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289\r\n    #6 0x419b38 in _init (\/usr\/bin\/listswf+0x419b38)\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV \/tmp\/portage\/media-libs\/ming-0.4.7\/work\/ming-0_4_7\/util\/read.c:441:23 in dumpBuffer\r\n==27703==ABORTING\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\n0.4.7<\/p>\n
Fixed version:<\/strong>
\n0.4.8<\/p>\n
Commit fix:<\/strong>
\nhttps:\/\/github.com\/libming\/libming\/commit\/80ebea953f0da0a5206bfaf02d5396d292e91a3a<\/a><\/p>\n
Credit:<\/strong>
\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n
CVE:<\/strong>
\nCVE-2016-9828<\/p>\n
Reproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00078-libming-nullptr-dumpBuffer<\/a><\/p>\n
Timeline:<\/strong>
\n2016-11-24: bug discovered and reported to upstream
\n2016-12-01: blog post about the issue
\n2016-12-05: CVE assigned
\n2017-01-30: upstream released a patch
\n2017-04-07: upstream released 0.4.8<\/p>\n
Note:<\/strong>
\nThis bug was found with American Fuzzy Lop<\/a>.<\/p>\n
Permalink:<\/strong><\/p>\n
libming: listswf: NULL pointer dereference in dumpBuffer (read.c)<\/a><\/p><\/blockquote>\n