From eda5a20206862a11805303cdd125566c9f9f9103 Mon Sep 17 00:00:00 2001 From: Hugo Lefeuvre <hle@debian.org> Date: Mon, 23 Oct 2017 11:23:10 +0200 Subject: [PATCH 19/29] Fix null-pointer dereference issue in stackswap. Avoid processing stackswap when stack only contains one element. In this case, print a warning if debug mode is enabled, and return cleanly. This commit fixes CVE-2017-11733 (fixes #78). --- util/decompile.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/util/decompile.c b/util/decompile.c index 5f52d768..a85a5eee 100644 --- a/util/decompile.c +++ b/util/decompile.c @@ -626,6 +626,14 @@ stackswap() #endif struct SWF_ACTIONPUSHPARAM *p = peek(); /* peek() includes error handling */ char type = Stack->type; + + if (Stack->next == NULL) { +#if DEBUG + SWF_warn("stackswap: can't swap (stack contains only one element)\n"); +#endif + return; + } + Stack->type = Stack->next->type; Stack->val = Stack->next->val; Stack->next->type = type; -- 2.14.3