r->position() + len caused a interger overflow at line 6857 of file gSWFParser.cpp
if( r->getPosition() != file_offset + len ) {
fprintf( stderr, "WARNING: end of tag %s is @%i, should be @%i\n",
"DefineSprite",
r->getPosition(),
file_offset+len );
r->seekTo( file_offset + len );
}
it will make cur pos to a negative number
then in the function getword, the pos will be a really big number, then it will cause an oob access.
uint16_t Reader::getWord() {
if (pos+2 > length) {
err = Reader::eof;
pos = length+1;
return 0;
}
printf("%d\n", pos);
int r = data[pos++];
r += data[pos++]<<8;
return r;
}
poc: https://drive.google.com/open?id=1o3DyrB2cT_yHOMqYWOUXxHKqgHKQ3Oad asan: https://drive.google.com/open?id=1FfVhfhB_lJc6bAYOWyoOkjz-Udmn0l9J
r->position() + len caused a interger overflow at line 6857 of file gSWFParser.cpp
it will make cur pos to a negative number then in the function getword, the pos will be a really big number, then it will cause an oob access.