Actions
Bug #4536
closedSWF decompression overread
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport to 5.0, Needs backport to 6.0
Description
While decompressing a swf file, the computation of compressed_data_len is wrong as it does not handle the offset start
Updated by Philippe Antoine over 3 years ago
Gitlab MR
Swf overread seems to be not triggered because StreamingBufferGetDataAtOffset returns a pointer to a bigger buffer than said...
Dummy patch to trigger it
diff --git a/src/detect-file-data.c b/src/detect-file-data.c
index 49c297ab8..b81d9b1fb 100644
--- a/src/detect-file-data.c
+++ b/src/detect-file-data.c
@@ -377,7 +377,9 @@ static InspectionBuffer *HttpServerBodyGetDataCallback(DetectEngineThreadCtx *de
if (swf_file_type == FILE_SWF_ZLIB_COMPRESSION ||
swf_file_type == FILE_SWF_LZMA_COMPRESSION)
{
- (void)FileSwfDecompression(data, data_len,
+ void *lol2 = malloc(data_len);
+ memcpy(lol2, data, data_len);
+ (void)FileSwfDecompression(lol2, data_len,
det_ctx,
buffer,
htp_state->cfg->swf_compression_type,
Updated by Jason Ish over 3 years ago
- Copied to Bug #4545: SWF decompression overread added
Updated by Jason Ish over 3 years ago
- Copied to Bug #4546: SWF decompression overread added
Updated by Philippe Antoine over 3 years ago
Mostly fixed by https://github.com/OISF/suricata/commit/4d2f9cc8a0409bb03f5d285bb83d64afec08ba2a
Still one fix to do with Gitlab new MR 247
Updated by Victor Julien almost 3 years ago
- Copied to Bug #4830: SWF decompression overread added
Updated by Victor Julien almost 3 years ago
- Copied to Bug #4831: SWF decompression overread added
Updated by Philippe Antoine almost 3 years ago
- Status changed from In Review to Closed
Actions