[CVE-2017-8782]Libming readString denial of service ================ CVE ID : CVE-2017-8782 Author : qflb.wu =============== Introduction: ============= Ming is a Flash (SWF) output library. It can be used from PHP, Perl, Ruby, Python, C, C++, Java, and probably more on the way. Affected version: ===== 0.4.8 Vulnerability Description: ========================== the readString function in util/read.c and util/old/read.c in libming 0.4.8 can cause a denial of service via a large file via listswf listaction etc char *readString(FILE *f) { int len = 0, buflen = 256; char c, *buf, *p; buf = (char *)malloc(sizeof(char)*256); p = buf; while((c=(char)readUInt8(f)) != '\0') { if(len >= buflen-2) { buf = (char *)realloc(buf, sizeof(char)*(buflen+256)); <========= buflen += 256; p = buf+len; } switch(c) { case '\n': *(p++) = '\\';*(p++) = 'n';++len;break; case '\t': *(p++) = '\\';*(p++) = 't';++len;break; case '\r': *(p++) = '\\';*(p++) = 'r';++len;break; default: *(p++) = c; } ++len; } *p = 0; return buf; } the source code has not check the return of the realloc function , if the crafted file is large enough , realloc may cause memory allocation error or buflen+256 may result in Integer Overflow and buflen+256 may become zero , realloc(buf,0) --> free. ========================== qflb.wu () dbappsecurity com cn