From f42fdb48986f29278907ab11f615b1c5d2f87530 Mon Sep 17 00:00:00 2001 From: Hugo Lefeuvre <hle@debian.org> Date: Mon, 19 Feb 2018 17:40:23 +0100 Subject: [PATCH 28/29] Fix heap-use-after-free in decompileIF The decompileIF function in util/decompile.c accesses actions array without checking the validity of n, the user entered index. This leads to heap-use-after-free issues when n is zero. This commit addresses this issue by using the OpCode function which does check input arguments. This commit fixes #105 (CVE-2018-6359). --- util/decompile.c | 2 +- 1 file changed, 1 insertions(+), 1 deletion(-) diff --git a/util/decompile.c b/util/decompile.c index a303d6ba..1126ef0f 100644 --- a/util/decompile.c +++ b/util/decompile.c @@ -2387,7 +2387,7 @@ decompileIF(int n, SWF_ACTION *actions, int maxn) #define SOME_IF_DEBUG 0 /* coders only */ int has_else_or_break= ((sact->Actions[sact->numActions-1].SWF_ACTIONRECORD.ActionCode == SWFACTION_JUMP) && (sact->Actions[sact->numActions-1].SWF_ACTIONJUMP.BranchOffset > 0 )) ? 1:0; - int has_lognot=(actions[n-1].SWF_ACTIONRECORD.ActionCode == SWFACTION_LOGICALNOT) ? 1:0; + int has_lognot=(OpCode(actions, n-1, maxn) == SWFACTION_LOGICALNOT) ? 1:0; int else_action_cnt=0,is_logor=0,is_logand=0,sbi,sbe; /* before emitting any "if"/"else" characters let's check -- 2.14.3