libming:null pointer dereference in stackswap


Ming is a library for generating Macromedia Flash files (.swf), written in C, and  for working includes useful utilities king with .swf files.

A null pointer dereference vulnerability was found in function stackswap in decompile.c, which allows attackers to cause a denial of service via a crafted file.

#swftocxx $FILE out
SEGV on unknown address 0x000000000000 (pc 0x000000545058 bp 0x603000000160 sp 0x7fffce29b5b0 T0)
==17155==The signal is caused by a READ memory access.
==17155==Hint: address points to the zero page.
    #0 0x545057 in stackswap /home/haojun/Downloads/libming-master/util/decompile.c:629:29
    #1 0x545057 in decompileSTACKSWAP /home/haojun/Downloads/libming-master/util/decompile.c:1344
    #2 0x545057 in decompileAction /home/haojun/Downloads/libming-master/util/decompile.c:3159
    #3 0x5875eb in decompileActions /home/haojun/Downloads/libming-master/util/decompile.c:3401:6
    #4 0x5875eb in decompile5Action /home/haojun/Downloads/libming-master/util/decompile.c:3423
    #5 0x52a0c5 in outputSWF_DOACTION /home/haojun/Downloads/libming-master/util/outputscript.c:1548:29
    #6 0x531311 in readMovie /home/haojun/Downloads/libming-master/util/main.c:277:4
    #7 0x531311 in main /home/haojun/Downloads/libming-master/util/main.c:350
    #8 0x7fd51244fb34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274
    #9 0x41ae7b in _start (/home/haojun/Downloads/libming-afl-build/bin/swftocxx+0x41ae7b)

SEGV /home/haojun/Downloads/libming-master/util/decompile.c:629:29 in stackswap

Affected version: latest version
Fixed version:N/A
Commit fix:N/A
Credit: ADLab of Venustech.
2017-06-07:bug discovered and reported to the libming GitHub issue page
2017-07-24:blog post about the issue



libming:memory leak in parseSWF_DOACTION

Poppler:stack buffer overflow in GfxImageColorMap::getGray