Headline
CVE-2023-30084: Invalid memory read in stackVal() at decompile.c:1238 · Issue #268 · libming/libming
An issue found in libming swftophp v.0.4.8 allows a local attacker to cause a denial of service via the stackVal function in util/decompile.c.
Invalid memory read in the latest version of libming at function stackVal in util/decompile.c:1238.
wget https://github.com/libming/libming/archive/refs/tags/ming-0_4_8.tar.gz
tar -zxvf ming-0_4_8.tar.gz
cd libming-ming-0_4_8
./autogen.sh
export FORCE_UNSAFE_CONFIGURE=1
export LLVM_COMPILER=clang
CC=wllvm CXX=wllvm++ CFLAGS="-g -O0 -fcommon -Wno-error" ./configure --prefix=`pwd`/obj-bc --with-php-config=/usr/bin/php-config7.2 --enable-static --disable-shared
make
make install
cd obj-bc/bin/
extract-bc swftophp
clang -fsanitize=address -lz -lm swftophp.bc -o swftophp_asan
root@2413df779df0:~/compiler1804/libming-ming-0_4_8/obj-bc/bin# ./swftophp_asan libming_0-4-8_swftophp_invalid-memory-read_decompile1238.swf
header indicates a filesize of 4278191411 but filesize is 166
<?php
$m = new SWFMovie();
ming_setscale(1.0);
/* Note: using v5+ syntax for script blocks (original SWF file version was 4)! */
$m->setRate(64.855469);
$m->setDimension(66, 327);
/* Note: xMin and/or yMin are not 0! */
$m->setFrames(7440);
Stream out of sync after parse of blocktype 24 (SWF_PROTECT). 124 but expecting 58.
/* SWF_PROTECT */
$m->protect("\tJ�A�\n�=�b��h"�BAH���CU���!�����М{/��R���z��W:�6$QSՖ�;owf�0]x�\r�������\)���
��Qp(#}�m�\_");
Stream out of sync after parse of blocktype 9 (SWF_SETBACKGROUNDCOLOR). 63 but expecting 119.
/* SWF_SETBACKGROUNDCOLOR */
$m->setBackground(0x2f, 0xed, 0xd1);
Stream out of sync after parse of blocktype 11 (SWF_DEFINETEXT). 165 but expecting 125.
/* SWF_DEFINETEXT */
$character24412 = new SWFText(1);
$character24412->setFont($f392);
$character24412->setHeight(30910);
$character24412->setColor(0x79, 0x9d, 0xb2);
$character24412->moveTo(0, -15327);
$character24412->addString("X");
Failed to find branch target!!!
Looking for: -28887
Stream out of sync after parse of blocktype 12 (SWF_DOACTION). 138 but expecting 134.
/* SWF_DOACTION */
AddressSanitizer:DEADLYSIGNAL
=================================================================
==60499==ERROR: AddressSanitizer: SEGV on unknown address 0x601fffffffb0 (pc 0x000000502876 bp 0x7ffe6a2faa50 sp 0x7ffe6a2faa50 T0)
==60499==The signal is caused by a READ memory access.
#0 0x502876 in stackVal /root/compiler1804/libming-ming-0_4_8/util/decompile.c:1238:41
#1 0x4fe03d in decompileIF /root/compiler1804/libming-ming-0_4_8/util/decompile.c:2395:7
#2 0x4facdc in decompileAction /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3242:10
#3 0x501b27 in decompileActions /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3401:6
#4 0x503b31 in decompile5Action /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3423:2
#5 0x4f7865 in outputSWF_DOACTION /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:1548:29
#6 0x4f72ac in outputBlock /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:2079:4
#7 0x4f9d21 in readMovie /root/compiler1804/libming-ming-0_4_8/util/main.c:277:4
#8 0x4f984d in main /root/compiler1804/libming-ming-0_4_8/util/main.c:350:2
#9 0x7f6f2645dc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#10 0x41b8d9 in _start (/root/compiler1804/libming-ming-0_4_8/obj-bc/bin/swftophp_asan+0x41b8d9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/compiler1804/libming-ming-0_4_8/util/decompile.c:1238:41 in stackVal
==60499==ABORTING