From f42fdb48986f29278907ab11f615b1c5d2f87530 Mon Sep 17 00:00:00 2001
From: Hugo Lefeuvre <hle@debian.org>
Date: Mon, 19 Feb 2018 17:40:23 +0100
Subject: [PATCH 28/29] Fix heap-use-after-free in decompileIF

The decompileIF function in util/decompile.c accesses actions
array without checking the validity of n, the user entered index.
This leads to heap-use-after-free issues when n is zero.

This commit addresses this issue by using the OpCode function
which does check input arguments.

This commit fixes #105 (CVE-2018-6359).
---
 util/decompile.c | 2 +-
 1 file changed, 1 insertions(+), 1 deletion(-)

diff --git a/util/decompile.c b/util/decompile.c
index a303d6ba..1126ef0f 100644
--- a/util/decompile.c
+++ b/util/decompile.c
@@ -2387,7 +2387,7 @@ decompileIF(int n, SWF_ACTION *actions, int maxn)
 #define SOME_IF_DEBUG 0	/* coders only */
 		int has_else_or_break= ((sact->Actions[sact->numActions-1].SWF_ACTIONRECORD.ActionCode == SWFACTION_JUMP) &&
 			(sact->Actions[sact->numActions-1].SWF_ACTIONJUMP.BranchOffset > 0 )) ? 1:0;
-		int has_lognot=(actions[n-1].SWF_ACTIONRECORD.ActionCode == SWFACTION_LOGICALNOT) ? 1:0;
+		int has_lognot=(OpCode(actions, n-1, maxn) == SWFACTION_LOGICALNOT) ? 1:0;
 		int else_action_cnt=0,is_logor=0,is_logand=0,sbi,sbe;
 
 		/* before emitting any "if"/"else" characters let's check 
-- 
2.14.3