lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 27 May 2017 16:36:55 +0800 (GMT+08:00)
From: 吴栋 <>
Subject: [FD] [CVE-2017-8782]Libming readString denial of service

[CVE-2017-8782]Libming readString denial of service
CVE ID : CVE-2017-8782
Author : qflb.wu

Ming is a Flash (SWF) output library. It can be used from PHP, Perl, Ruby, Python, C, C++, Java, and probably more on the way.

Affected version:

Vulnerability Description:
the readString function in util/read.c  and util/old/read.c in libming 0.4.8  can cause a denial of service via a large file via listswf listaction etc

char *readString(FILE *f)
  int len = 0, buflen = 256;
  char c, *buf, *p;

  buf = (char *)malloc(sizeof(char)*256);
  p = buf;

  while((c=(char)readUInt8(f)) != '\0')
    if(len >= buflen-2)
      buf = (char *)realloc(buf, sizeof(char)*(buflen+256)); <=========
      buflen += 256;
      p = buf+len;

      case '\n':
*(p++) = '\\';*(p++) = 'n';++len;break;
      case '\t':
*(p++) = '\\';*(p++) = 't';++len;break;
      case '\r':
*(p++) = '\\';*(p++) = 'r';++len;break;
*(p++) = c;


  *p = 0;

  return buf;

the source code has not check the return of the realloc function , 
if the crafted file is large enough , realloc may cause memory allocation error 
buflen+256 may result in Integer Overflow and buflen+256 may become zero , realloc(buf,0) --> free.

qflb.wu () dbappsecurity com cn

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists