an interger overflow happens at line 3925 of gSWFParser.cpp
{
int sz = len;
data = new unsigned char[ sz ];
r->getData( data, sz );
}
the sz comes from len, and when len becomes a really big interger, the new will return false.
len is a private member of namespace SWF,
namespace SWF {
template <class T>
class IdItem : public Item {
protected:
IdItem() { type = 0; len = 0; }
int getHeaderSize(int size) { return 8; }
void writeHeader(Writer *w, Context *ctx, size_t len) { w->putByte(type); }
void setType(int t) { type = t; }
int getType() { return type; }
void setLength(int l) { len = l; }
int getLength() { return len; }
int type;
int len;
in the function get
Filter *Filter::get(Reader *r, int end, Context *ctx) {
the len is from
int len = end - r->getPosition();
and it will be a negative number , that's why the new operation fail.
poc: https://drive.google.com/open?id=1hBFvf2l1Jp8elvm6-HMNf_b6bqd1DzKC asan: https://drive.google.com/open?id=1btf-tyhwl4bzXNgidrYk96xf43RhqOO7
an interger overflow happens at line 3925 of gSWFParser.cpp
the sz comes from len, and when len becomes a really big interger, the new will return false. len is a private member of namespace SWF,
in the function get
Filter *Filter::get(Reader *r, int end, Context *ctx) {the len is fromint len = end - r->getPosition();and it will be a negative number , that's why the new operation fail.