Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-36239: Allocation size overflow in parseSWF_DEFINEFONTINFO() at parser.c:1948 · Issue #273 · libming/libming

libming listswf 0.4.7 was discovered to contain a buffer overflow in the parseSWF_DEFINEFONTINFO() function at parser.c.

CVE
Open in Source
#ubuntu#linux#git#php#c++#buffer_overflow#ibm

Allocation size overflow in parseSWF_DEFINEFONTINFO() at parser.c:1948

Allocation size overflow in the listswf at function parseSWF_DEFINEFONTINFO in parser.c:1948.

Environment

Ubuntu 18.04, 64 bit
libming 0.4.7

Steps to reproduce

  1. download file

    git clone https://github.com/libming/libming.git libming-ming-0_4_7

  1. compile libming with ASAN

    cd libming-ming-0_4_7 git checkout 5aa3470 ./autogen.sh export FORCE_UNSAFE_CONFIGURE=1 export LLVM_COMPILER=clang CC=wllvm CXX=wllvm++ CFLAGS="-g -O0 -fcommon -Wno-error" ./configure --prefix=pwd/obj-bc --with-php-config=/usr/bin/php-config7.2 --enable-static --disable-shared make make install

    cd obj-bc/bin/ extract-bc listswf clang -fsanitize=address -lz -lm listswf.bc -o listswf_asan

  1. command for reproducing the error

Download poc:
libming_0-4-7_listswf_allocation-size-overflow_parser1948.zip

ASAN report

root@a71b82b5d288:~/dataset/libming-ming-0_4_7/obj-bc/bin# ./listswf_asan libming_0-4-7_listswf_allocation-size-overflow_parser1948.swf 
header indicates a filesize of 6350 but filesize is 296
File version: 10
File size: 296
Frame size: (0,0)x(0,0)
Frame rate: 237.609375 / sec.
Total frames: 31640
=================================================================
==29667==ERROR: AddressSanitizer: requested allocation size 0xfffffffffffffed6 (0x6d8 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
    #0 0x4ade60 in malloc /root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
    #1 0x50fefd in parseSWF_DEFINEFONTINFO /root/dataset/libming-ming-0_4_7/util/parser.c:1948:34
    #2 0x4fefda in blockParse /root/dataset/libming-ming-0_4_7/util/blocktypes.c:145:14
    #3 0x4fceb2 in readMovie /root/dataset/libming-ming-0_4_7/util/main.c:265:11
    #4 0x4fca7d in main /root/dataset/libming-ming-0_4_7/util/main.c:350:2
    #5 0x7fa41cb57c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310

==29667==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: allocation-size-too-big /root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145 in malloc
==29667==ABORTING

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE