Integer overflow when disassembling swp files

[JJY-sec]

Integer Overflow occurs during disassembling swp files. This bug leads to Heap Overflow.

The max variable is calculated via "max = strsize*(len/2);". Strsize is fixed to 20, and len can be set by the user. "max" is ut8. If the result of strsize multiplied by max is greater than 0x100, Interger Overflow occurs. Therefore, "malloc(max);" allocate a small chunk compared to len.

radare2-extras/libr/asm/arch/swf/swfdis.c:79

                        ut16 len;
                        ut8 pushtype;
                        len = r_mem_get_num (buf+1, 2);

                        ut8 i = 3; // Buffer index
                        ut8 l = 0; // String index
                        ut8 strsize = 20; // Max size of a push name
                        ut8 max = strsize*(len/2); // Max size of the whole opcode name 
                        char* name = malloc(strsize);
                        char* type = malloc(max);
                        while (i < len+2) {

The chunk allocated by "malloc(max);" will be written more than that allocated.

radare2-extras/libr/asm/arch/swf/swfdis.c:151

                                if (i < len+2) strcat (name, ", ");
                                strncpy (type+l, name, max-l);
                                l += strlen(name);

Check if an integer overflow has occurred through the if statement, or use a larger data type for len.

integer-overflwo.zip