From 2027b24f403a859016a70bbdc79a8da1d6f128eb Mon Sep 17 00:00:00 2001 From: Hugo Lefeuvre <hle@debian.org> Date: Fri, 6 Oct 2017 08:59:32 +0200 Subject: [PATCH 13/29] Fix various overflows in OpCode and readBytes * OpCode: Add a check to avoid reading the stack when n < 1 In this case, print a debug warning and return error code -998 * readBytes: When size < 0, set it to zero (don't read anything) This commit fixes CVE-2017-11728 (Fixes #82), CVE-2017-11729 (Fixes #79), CVE-2017-11730 (Fixes #81) and CVE-2017-11731 (Fixes #84). --- util/decompile.c | 8 +++++++- util/read.c | 8 ++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/util/decompile.c b/util/decompile.c index 60785e29..1c58c8d9 100644 --- a/util/decompile.c +++ b/util/decompile.c @@ -864,7 +864,13 @@ static inline int OpCode(SWF_ACTION *actions, int n, int maxn) SWF_warn("OpCode: want %i, max %i\n", n, maxn); #endif return -999; - } + } else if (n < 1) { + +#if DEBUG + SWF_warn("OpCode: want %i < 1\n", n); +#endif + return -998; + } return actions[n].SWF_ACTIONRECORD.ActionCode; } diff --git a/util/read.c b/util/read.c index 1cd0a0f8..97e78d9e 100644 --- a/util/read.c +++ b/util/read.c @@ -226,6 +226,14 @@ float readFloat(FILE *f) char *readBytes(FILE *f,int size) { + + if (size < 1) { +#if DEBUG + SWF_warn("readBytes: want to read %i < 1 bytes: Handling a 0\n", size); +#endif + size = 0; + } + int i; char *buf; -- 2.14.3