swftools icon indicating copy to clipboard operation
swftools copied to clipboard

Published 20 hours ago verified publisher icon matthiaskramm

An integer overflow bug of wav2swf

Open ghost opened this issue 8 years ago • 4 comments

https://github.com/matthiaskramm/swftools/blob/54657f9ba3dd4fa3e54c8f8c18f3def7a42d1f1c/lib/wav.c#L225

when malloc. there is an integer overflow bug: (samplelenratio2)+128 that make the malloc failed.

so samples is 0 https://github.com/matthiaskramm/swftools/blob/master/src/wav2swf.c#L238

when memcpy use samples,it cause a null pointer dereference bug memcpy(samples2, samples, numsamples*sizeof(U16));

ghost avatar Nov 13 '17 00:11 ghost

poc: https://drive.google.com/open?id=1kD0ZU1x72VUssjgNIOUQiQ466IBNSO7A asan: https://drive.google.com/open?id=1zPP4vcwK-dxkafXo9cdTSD6vyfZa7Nba

ghost avatar Nov 13 '17 00:11 ghost

Is there any plan to address this? Please note that CVE-2017-16868 was assigned. @matthiaskramm

NicoleG25 avatar Jan 02 '20 11:01 NicoleG25

Yes, it would be good to fix this. I'll take a PR.

matthiaskramm avatar Jan 02 '20 14:01 matthiaskramm

I think PR#75 will solve this issue.

yoya avatar Jan 17 '20 16:01 yoya