[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] [CVE-2017-8782]Libming readString denial of service
From: 吴栋 <qflb.wu () dbappsecurity ! com ! cn>
Date: 2017-05-27 8:36:55
Message-ID: 24ec0dca.bf4.15c490d1fe0.Coremail.qflb.wu () dbappsecurity ! com ! cn
[Download RAW message or body]
[CVE-2017-8782]Libming readString denial of service
================
CVE ID : CVE-2017-8782
Author : qflb.wu
===============
Introduction:
=============
Ming is a Flash (SWF) output library. It can be used from PHP, Perl, Ruby, Python, C, C++, \
Java, and probably more on the way.
Affected version:
=====
0.4.8
Vulnerability Description:
==========================
the readString function in util/read.c and util/old/read.c in libming 0.4.8 can cause a \
denial of service via a large file via listswf listaction etc
char *readString(FILE *f)
{
int len = 0, buflen = 256;
char c, *buf, *p;
buf = (char *)malloc(sizeof(char)*256);
p = buf;
while((c=(char)readUInt8(f)) != '\0')
{
if(len >= buflen-2)
{
buf = (char *)realloc(buf, sizeof(char)*(buflen+256)); <=========
buflen += 256;
p = buf+len;
}
switch(c)
{
case '\n':
*(p++) = '\\';*(p++) = 'n';++len;break;
case '\t':
*(p++) = '\\';*(p++) = 't';++len;break;
case '\r':
*(p++) = '\\';*(p++) = 'r';++len;break;
default:
*(p++) = c;
}
++len;
}
*p = 0;
return buf;
}
the source code has not check the return of the realloc function ,
if the crafted file is large enough , realloc may cause memory allocation error
or
buflen+256 may result in Integer Overflow and buflen+256 may become zero , realloc(buf,0) --> \
free. ==========================
qflb.wu () dbappsecurity com cn
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic