From eda5a20206862a11805303cdd125566c9f9f9103 Mon Sep 17 00:00:00 2001
From: Hugo Lefeuvre <hle@debian.org>
Date: Mon, 23 Oct 2017 11:23:10 +0200
Subject: [PATCH 19/29] Fix null-pointer dereference issue in stackswap.

Avoid processing stackswap when stack only contains one element. In this
case, print a warning if debug mode is enabled, and return cleanly.

This commit fixes CVE-2017-11733 (fixes #78).
---
 util/decompile.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/util/decompile.c b/util/decompile.c
index 5f52d768..a85a5eee 100644
--- a/util/decompile.c
+++ b/util/decompile.c
@@ -626,6 +626,14 @@ stackswap()
 #endif
 	struct SWF_ACTIONPUSHPARAM *p = peek();		/* peek() includes error handling */
 	char type = Stack->type;
+
+        if (Stack->next == NULL) {
+#if DEBUG
+		SWF_warn("stackswap: can't swap (stack contains only one element)\n");
+#endif
+                return;
+        }
+
 	Stack->type = Stack->next->type;
 	Stack->val  = Stack->next->val;
 	Stack->next->type = type;
-- 
2.14.3