[CVE-2017-8782]Libming readString denial of service

[吴栋 <qflb.wu () dbappsecurity com cn>]

[CVE-2017-8782]Libming readString denial of service
================
CVE ID : CVE-2017-8782
Author : qflb.wu
===============




Introduction:
=============
Ming is a Flash (SWF) output library. It can be used from PHP, Perl, Ruby, Python, C, C++, Java, and probably more on 
the way.


Affected version:
=====
0.4.8


Vulnerability Description:
==========================
the readString function in util/read.c  and util/old/read.c in libming 0.4.8  can cause a denial of service via a large 
file via listswf listaction etc


char *readString(FILE *f)
{
  int len = 0, buflen = 256;
  char c, *buf, *p;


  buf = (char *)malloc(sizeof(char)*256);
  p = buf;


  while((c=(char)readUInt8(f)) != '\0')
  {
    if(len >= buflen-2)
    {
      buf = (char *)realloc(buf, sizeof(char)*(buflen+256)); <=========
      buflen += 256;
      p = buf+len;
    }


    switch(c)
    {
      case '\n':
*(p++) = '\\';*(p++) = 'n';++len;break;
      case '\t':
*(p++) = '\\';*(p++) = 't';++len;break;
      case '\r':
*(p++) = '\\';*(p++) = 'r';++len;break;
      default:
*(p++) = c;
    }


    ++len;
  }


  *p = 0;


  return buf;
}


the source code has not check the return of the realloc function , 
if the crafted file is large enough , realloc may cause memory allocation error 
or 
buflen+256 may result in Integer Overflow and buflen+256 may become zero , realloc(buf,0) --> free.
==========================




qflb.wu () dbappsecurity com cn


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/