Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integer overflow when disassembling swp files #253

Open
JJY-sec opened this issue Jul 2, 2020 · 0 comments
Open

Integer overflow when disassembling swp files #253

JJY-sec opened this issue Jul 2, 2020 · 0 comments
Labels

Comments

@JJY-sec
Copy link

JJY-sec commented Jul 2, 2020

Integer Overflow occurs during disassembling swp files. This bug leads to Heap Overflow.

The max variable is calculated via "max = strsize*(len/2);". Strsize is fixed to 20, and len can be set by the user. "max" is ut8. If the result of strsize multiplied by max is greater than 0x100, Interger Overflow occurs. Therefore, "malloc(max);" allocate a small chunk compared to len.

radare2-extras/libr/asm/arch/swf/swfdis.c:79

                        ut16 len;
                        ut8 pushtype;
                        len = r_mem_get_num (buf+1, 2);

                        ut8 i = 3; // Buffer index
                        ut8 l = 0; // String index
                        ut8 strsize = 20; // Max size of a push name
                        ut8 max = strsize*(len/2); // Max size of the whole opcode name 
                        char* name = malloc(strsize);
                        char* type = malloc(max);
                        while (i < len+2) {

The chunk allocated by "malloc(max);" will be written more than that allocated.

radare2-extras/libr/asm/arch/swf/swfdis.c:151

                                if (i < len+2) strcat (name, ", ");
                                strncpy (type+l, name, max-l);
                                l += strlen(name);

Check if an integer overflow has occurred through the if statement, or use a larger data type for len.

integer-overflwo.zip

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants