bug 5: heap oob read (info leak) bug of swfmill swf2xml

[ghost]

poc: https://drive.google.com/open?id=1QtKIySFez4q1XG7UzRAOwN0cZ_s3urhd asan: https://drive.google.com/open?id=1lrD-UBZEKFZggTyIUtYcdQQJzN9fkAJD

bool DefineSceneAndFrameLabelData::parse( Reader *r, int end, Context *ctx ) {
file_offset = r->getPosition();
if( ctx->debugTrace ) {
fprintf( stderr, "PARSE %s @%i-%i :%i\n",
"DefineSceneAndFrameLabelData",
r->getPosition(),
r->getBits(),
end );
}

sceneCount = r->getEncodedU32();
if( ctx->debugTrace ) {
fprintf( stderr, "PARSE %s: %" PRIi32 "\n",
"sceneCount",
sceneCount );
}

{
if( ctx->debugTrace ) {
fprintf( stderr, "PARSE list<%s> %s: %i items, @%i-%i :%i\n",
"Scene",
"scenes",
sceneCount,
r->getPosition(),
r->getBits(),
end );
}
Scene *item;
for( int i=0; i<sceneCount; i++ ) {
item = Scene::get(r,end,ctx);
scenes.append( item );
}
}

Scene* Scene::get( Reader *r, int end, Context *ctx ) {
Scene* ret = new Scene;
ret->parse( r, end, ctx );
return ret;
}

bool Scene::parse( Reader *r, int end, Context *ctx ) {
file_offset = r->getPosition();
if( ctx->debugTrace ) {
fprintf( stderr, "PARSE %s @%i-%i :%i\n",
"Scene",
r->getPosition(),
r->getBits(),
end );
}

offset = r->getEncodedU32();
if( ctx->debugTrace ) {
fprintf( stderr, "PARSE %s: %" PRIi32 "\n",
"offset",
offset );
}
name = r->getString();
if( ctx->debugTrace ) {
fprintf( stderr, "PARSE %s: %s\n",
"name",
name );
}

return r->getError() == Reader::ok;
}

the val end is useless! Due to that the val sceneCount is set based on the value from file (r->getEncodedU32()), this value can be faked! In the loop below, for( int i=0; i<sceneCount; i++ ), it will execute Scene::get many times without checking. So Heap Out-of-bound Read will happen, which may cause memory leaking!