search

djcsdy / swfmill

Generate or decompile Adobe Flash SWF files using an XML dialect. Inspect and modify the XML by hand, or by using a built in XSLT processor.
http://www.swfmill.org/
GNU General Public License v2.0
131 stars 28 forks source link

bug3: an interger overflow in swfmill swf2xml #48

Open ghost opened 6 years ago

ghost commented 6 years ago

poc: https://drive.google.com/open?id=1Z8WmeSap9iPaiUcVJZCIfrkZfvHUSOSa asan: https://drive.google.com/open?id=1v47arABbjZFQyRV_8lSBOT59jKuTW8gT

swfmill/src/SWFReader.cpp the segmentfault happens at 

  char *Reader::getPStringU30() {
        byteAlign();
        uint32_t len = getU30();
        char *dst = new char[len+1];
        getData(dst, len);
        dst[len]=0;
        return dst;
    }

uint32_t len is from getU30(); in this function there exists an interger overflow 

uint32_t Reader::getU30() {
        uint32_t r = 0;
        unsigned char c;

        for (int i = 0; i < 5; i++) {
            c = data[pos++];
            r |= (c & 0x7F) << (7 * i);

            if (!(c & 0x80)) {
                return r;
            }

            if (pos > length) {
                err = Reader::eof;
                pos = length+1;
                return 0;
            }
        }

        return r;
    }

r will be 0xffffffff after parsing.