Skip to content

bug2: an interger overflow of swfmill swf2xml #47

New issue
New issue
Open
Open
bug2: an interger overflow of swfmill swf2xml#47
Labels
bug
@ghost

Description

@ghost
ghost
opened on Jul 1, 2018

poc:
https://drive.google.com/open?id=1o3DyrB2cT_yHOMqYWOUXxHKqgHKQ3Oad
asan:
https://drive.google.com/open?id=1FfVhfhB_lJc6bAYOWyoOkjz-Udmn0l9J

r->position() + len caused a interger overflow at line 6857 of file gSWFParser.cpp

if( r->getPosition() != file_offset + len ) {
     fprintf( stderr, "WARNING: end of tag %s is @%i, should be @%i\n",
             "DefineSprite",
             r->getPosition(),
             file_offset+len );
     r->seekTo( file_offset + len );
 }

it will make cur pos to a negative number
then in the function getword, the pos will be a really big number, then it will cause an oob access.

uint16_t Reader::getWord() {
     if (pos+2 > length) {
         err = Reader::eof;
         pos = length+1;
         return 0;
     }
     printf("%d\n", pos);
     int r = data[pos++];
     r += data[pos++]<<8;
     return r;
 }

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions