Reversing on Windows: 251 Potential NULL Pointer Dereferences in Flash Player

251 potential NULL pointer dereference issues have been identified in Flash Player 14 by pattern matching approach. The file examined is NPSWF32_14_0_0_145.dll (17,029,808 bytes).

The issues are classified as CWE-690: Unchecked Return Value to NULL Pointer Dereference.

I don't copy&paste all the issues in this blog post but bringing up few examples.

First Example

0:012> uf 5438a1d0
NPSWF32_14_0_0_145!BrokerMainW+0xf6f6b:
5438a1d0 f6410810 test byte ptr [ecx+8],10h
5438a1d4 8b4104 mov eax,dword ptr [ecx+4]
5438a1d7 7411 je NPSWF32_14_0_0_145!BrokerMainW+0xf6f85 (5438a1ea)

NPSWF32_14_0_0_145!BrokerMainW+0xf6f74:
5438a1d9 85c0 test eax,eax
5438a1db 740b je NPSWF32_14_0_0_145!BrokerMainW+0xf6f83 (5438a1e8)

NPSWF32_14_0_0_145!BrokerMainW+0xf6f78:
5438a1dd 8b4c2404 mov ecx,dword ptr [esp+4]
5438a1e1 8b448808 mov eax,dword ptr [eax+ecx*4+8]
5438a1e5 c20400 ret 4

NPSWF32_14_0_0_145!BrokerMainW+0xf6f83:
5438a1e8 33c0 xor eax,eax <--Set return value to NULL

NPSWF32_14_0_0_145!BrokerMainW+0xf6f85:
5438a1ea c20400 ret 4 <--Return with NULL
0:012> u 5438a47b L2
NPSWF32_14_0_0_145!BrokerMainW+0xf7216:
5438a47b e850fdffff call NPSWF32_14_0_0_145!BrokerMainW+0xf6f6b (5438a1d0)
5438a480 8a580c mov bl,byte ptr [eax+0Ch] <--Dereference NULL

Second Example

0:012> uf 54362e60
NPSWF32_14_0_0_145!BrokerMainW+0xcfbfb:
54362e60 8b4128 mov eax,dword ptr [ecx+28h]
54362e63 8b4c2404 mov ecx,dword ptr [esp+4]
54362e67 3b4804 cmp ecx,dword ptr [eax+4]
54362e6a 7205 jb NPSWF32_14_0_0_145!BrokerMainW+0xcfc0c (54362e71)

NPSWF32_14_0_0_145!BrokerMainW+0xcfc07:
54362e6c 33c0 xor eax,eax <--Set return value to NULL
54362e6e c20400 ret 4 <--Return with NULL

NPSWF32_14_0_0_145!BrokerMainW+0xcfc0c:
54362e71 56 push esi
54362e72 8b748808 mov esi,dword ptr [eax+ecx*4+8]
54362e76 56 push esi
54362e77 e8e4b0faff call NPSWF32_14_0_0_145!BrokerMainW+0x7acfb (5430df60)
54362e7c 83c404 add esp,4
54362e7f 85c0 test eax,eax
54362e81 7407 je NPSWF32_14_0_0_145!BrokerMainW+0xcfc25 (54362e8a)

NPSWF32_14_0_0_145!BrokerMainW+0xcfc1e:
54362e83 8b4010 mov eax,dword ptr [eax+10h]
54362e86 5e pop esi
54362e87 c20400 ret 4

NPSWF32_14_0_0_145!BrokerMainW+0xcfc25:
54362e8a 8bc6 mov eax,esi
54362e8c 83e0f8 and eax,0FFFFFFF8h
54362e8f 5e pop esi
54362e90 c20400 ret 4
0:012> u NPSWF32_14_0_0_145+006b4eb2 L2
NPSWF32_14_0_0_145!BrokerMainW+0xd1c4d:
54364eb2 e8a9dfffff call NPSWF32_14_0_0_145!BrokerMainW+0xcfbfb (54362e60)
54364eb7 8b7004 mov esi,dword ptr [eax+4] <--Dereference NULL

Third Example

0:012> uf 5429979a
NPSWF32_14_0_0_145!BrokerMainW+0x6535:
5429979a 0fb74108 movzx eax,word ptr [ecx+8]
5429979e 48 dec eax
5429979f 48 dec eax
542997a0 740c je NPSWF32_14_0_0_145!BrokerMainW+0x6549 (542997ae)

NPSWF32_14_0_0_145!BrokerMainW+0x653d:
542997a2 83e815 sub eax,15h
542997a5 7403 je NPSWF32_14_0_0_145!BrokerMainW+0x6545 (542997aa)

NPSWF32_14_0_0_145!BrokerMainW+0x6542:
542997a7 33c0 xor eax,eax <--Set return value to NULL
542997a9 c3 ret <--Return with NULL

NPSWF32_14_0_0_145!BrokerMainW+0x6545:
542997aa 8d4110 lea eax,[ecx+10h]
542997ad c3 ret

NPSWF32_14_0_0_145!BrokerMainW+0x6549:
542997ae 8d410c lea eax,[ecx+0Ch]
542997b1 c3 ret
0:012> u NPSWF32_14_0_0_145+005f3423 L2
NPSWF32_14_0_0_145!BrokerMainW+0x101be:
542a3423 e87263ffff call NPSWF32_14_0_0_145!BrokerMainW+0x6535 (5429979a)
542a3428 8038fe cmp byte ptr [eax],0FEh <--Dereference NULL

You can find a list of 251 potential NULL pointer dereferences in Flash Player here.

Reversing on Windows

The blog continues at suszter.com/ReversingOnWindows

July 16, 2014

251 Potential NULL Pointer Dereferences in Flash Player

First Example

Second Example

Third Example

Most Recent

Security Testing

Debugging

Pin Tools

Archive

Labels

Most Viewed

HexLasso - Static Exploration of Binary Data