From 1f5976337d2cf02d5f709cb1d0dac479976e5f94 Mon Sep 17 00:00:00 2001 From: Hugo Lefeuvre <hle@debian.org> Date: Fri, 6 Oct 2017 13:35:33 +0200 Subject: [PATCH 15/29] Fix heap buffer overflow in decompileCALLFUNCTION Make sure that n > 0 before checking for the previous action in the actions array, otherwise an overflow may occur. This commit fixes CVE-2017-11734 (fixes #83). --- util/decompile.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/decompile.c b/util/decompile.c index 1c58c8d9..5f52d768 100644 --- a/util/decompile.c +++ b/util/decompile.c @@ -2873,7 +2873,7 @@ decompileCALLFUNCTION(int n, SWF_ACTION *actions, int maxn) struct SWF_ACTIONPUSHPARAM *meth, *nparam; SanityCheck(SWF_CALLMETHOD, - actions[n-1].SWF_ACTIONRECORD.ActionCode == SWFACTION_PUSH, + n > 0 && actions[n-1].SWF_ACTIONRECORD.ActionCode == SWFACTION_PUSH, "CALLMETHOD not preceeded by PUSH") meth=pop(); -- 2.14.3