Skip to content

Commit e3217e8

Browse files
kjaroshkjarosh
committed
tests: Port security tests from avmplus
These tests have been adapted from the avmplus repo. See https://github.com/adobe/avmplus/tree/858d034a3bd3a54d9b70909386435cf4aec81d21/test
1 parent 6b03106 commit e3217e8

File tree

10 files changed

+105
-0
lines changed

10 files changed

+105
-0
lines changed

tests/tests/swfs/from_avmplus/regress/security/bug_550269/Test.as

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
/* This Source Code Form is subject to the terms of the Mozilla Public
2+
* License, v. 2.0. If a copy of the MPL was not distributed with this
3+
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4+
package {import flash.display.MovieClip; public class Test extends MovieClip {}}
5+
6+
import com.adobe.test.Assert;
7+
8+
// var SECTION = "RegExp";
9+
// var VERSION = "as3";
10+
// var TITLE = "https://bugzilla.mozilla.org/show_bug.cgi?id=550269";
11+
12+
13+
// CVE-2008-0674: large number of characters with Unicode code points greater than 255
14+
var utf8RegExp:String = "[^ABCDEFGHIJKLMNOPQRSTUVWXYZÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖØÙÚÛÜÝÞĀĂĄĆĈĊČĎĐĒĔĖĘĚĜĞĠĢĤĦĨĪĬĮİIJĴĶĹĻĽĿŁŃŅŇŊŌŎŐŒŔŖŘŚŜŞŠŢŤŦŨŪŬŮŰŲŴŶŸŹŻŽƁƂƄƆƇƉƊƋƎƏƐƑƓƔƖƗƘƜƝƟƠƢƤƦƧƩƬƮƯƱƲƳƵƷƸƼDŽLJNJǍǏǑǓǕǗǙǛǞǠǢǤǦǨǪǬǮDZǴǶǷǸǺǼǾȀȂȄȆȈȊȌȎȐȒȔȖȘȚȜȞȠȢȤȦȨȪȬȮȰȲȺȻȽȾɁΆΈΉΊΌΎΏΑΒΓΔΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΩΪΫϒϓϔϘϚϜϞϠϢϤϦϨϪϬϮϴϷϹϺϽϾϿЀЁЂЃЄЅІЇЈЉЊЋЌЍЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯѠѢѤѦѨѪѬѮѰѲѴѶѸѺѼѾҀҊҌҎҐҒҔҖҘҚҜҞҠҢҤҦҨҪҬҮҰҲҴҶҸҺҼҾӀӁӃӅӇӉӋӍӐӒӔӖӘӚӜӞӠӢӤӦӨӪӬӮӰӲӴӶӸԀԂԄԆԈԊԌԎԱԲԳԴԵԶԷԸԹԺԻԼԽԾԿՀՁՂՃՄՅՆՇՈՉՊՋՌՍՎՏՐՑՒՓՔՕՖႠႡႢႣႤႥႦႧႨႩႪႫႬႭႮႯႰႱႲႳႴႵႶႷႸႹႺႻႼႽႾႿჀჁჂჃჄჅḀḂḄḆḈḊḌḎḐḒḔḖḘḚḜḞḠḢḤḦḨḪḬḮḰḲḴḶḸḺḼḾṀṂṄṆṈṊṌṎṐṒṔṖṘṚṜṞṠṢṤṦṨṪṬṮṰṲṴṶṸṺṼṾẀẂẄẆẈẊẌẎẐẒẔẠẢẤẦẨẪẬẮẰẲẴẶẸẺẼẾỀỂỄỆỈỊỌỎỐỒỔỖỘỚỜỞỠỢỤỦỨỪỬỮỰỲỴỶỸἈἉἊἋἌἍἎἏἘἙἚἛἜἝἨἩἪἫἬἭἮἯἸἹἺἻἼἽἾἿὈὉὊὋὌὍὙὛὝὟὨὩὪὫὬὭὮὯᾸᾹᾺΆῈΈῊΉῘῙῚΊῨῩῪΎῬῸΌῺΏabcdefghijklmnopqrstuvwxyzªµºßàáâãäåæçèéêëìíîïðñòóôõöøùúûüýþÿāăąćĉċčďđēĕėęěĝğġģĥħĩīĭįıijĵķĸĺļľŀłńņňʼnŋōŏőœŕŗřśŝşšţťŧũūŭůűųŵŷźżžſƀƃƅƈƌƍƒƕƙƚƛƞơƣƥƨƪƫƭưƴƶƹƺƽƾƿdžljnjǎǐǒǔǖǘǚǜǝǟǡǣǥǧǩǫǭǯǰdzǵǹǻǽǿȁȃȅȇȉȋȍȏȑȓȕȗșțȝȟȡȣȥȧȩȫȭȯȱȳȴȵȶȷȸȹȼȿɀɐɑɒɓɔɕɖɗɘəɚɛɜɝɞɟɠɡɢɣɤɥɦɧɨɩɪɫɬɭɮɯɰɱɲɳɴɵɶɷɸɹɺɻɼɽɾɿʀʁʂʃʄʅʆʇʈʉʊʋʌʍʎʏʐʑʒʓʔʕʖʗʘʙʚʛʜʝʞʟʠʡʢʣʤʥʦʧʨʩʪʫʬʭʮʯΐάέήίΰαβγδεζηθικλμνξοπρςστυφχψωϊϋόύώϐϑϕϖϗϙϛϝϟϡϣϥϧϩϫϭϯϰϱϲϳϵϸϻϼабвгдежзийклмнопрстуфхцчшщъыьэюяѐёђѓєѕіїјљњћќѝўџѡѣѥѧѩѫѭѯѱѳѵѷѹѻѽѿҁҋҍҏґғҕҗҙқҝҟҡңҥҧҩҫҭүұҳҵҷҹһҽҿӂӄӆӈӊӌӎӑӓӕӗәӛӝӟӡӣӥӧөӫӭӯӱӳӵӷӹԁԃԅԇԉԋԍԏաբգդեզէըթժիլխծկհձղճմյնշոչպջռսվտրցւփքօֆևᴀᴁᴂᴃᴄᴅᴆᴇᴈᴉᴊᴋᴌᴍᴎᴏᴐᴑᴒᴓᴔᴕᴖᴗᴘᴙᴚᴛᴜᴝᴞᴟᴠᴡᴢᴣᴤᴥᴦᴧᴨᴩᴪᴫᵢᵣᵤᵥᵦᵧᵨᵩᵪᵫᵬᵭᵮᵯᵰᵱᵲᵳᵴᵵᵶᵷᵹᵺᵻᵼᵽᵾᵿᶀᶁᶂᶃᶄᶅᶆᶇᶈᶉᶊᶋᶌᶍᶎᶏᶐᶑᶒᶓᶔᶕᶖᶗᶘᶙᶚḁḃḅḇḉḋḍḏḑḓḕḗḙḛḝḟḡḣḥḧḩḫḭḯḱḳḵḷḹḻḽḿṁṃṅṇṉṋṍṏṑṓṕṗṙṛṝṟṡṣṥṧṩṫṭṯṱṳṵṷṹṻṽṿẁẃẅẇẉẋẍẏẑẓẕẖẗẘẙẚẛạảấầẩẫậắằẳẵặẹẻẽếềểễệỉịọỏốồổỗộớờởỡợụủứừửữựỳỵỷỹἀἁἂἃἄἅἆἇἐἑἒἓἔἕἠἡἢἣἤἥἦἧἰἱἲἳἴἵἶἷὀὁὂὃὄὅὐὑὒὓὔὕὖὗὠὡὢὣὤὥὦὧὰάὲέὴήὶίὸόὺύὼώᾀᾁᾂᾃᾄᾅᾆᾇᾐᾑᾒᾓᾔᾕᾖᾗᾠᾡᾢᾣᾤᾥᾦᾧᾰᾱᾲᾳᾴᾶᾷιῂῃῄῆῇῐῑῒΐῖῗῠῡῢΰῤῥῦῧῲῳῴῶῷⲁⲃⲅⲇⲉⲋⲍⲏⲑⲓⲕⲗⲙⲛⲝⲟⲡⲣⲥⲧⲩⲫⲭⲯⲱⲳⲵⲷⲹⲻⲽⲿⳁⳃⳅⳇⳉⳋⳍⳏⳑⳓⳕⳗⳙⳛⳝⳟⳡⳣⳤⴀⴁⴂⴃⴄⴅⴆⴇⴈⴉⴊⴋⴌⴍⴎⴏⴐⴑⴒⴓⴔⴕⴖⴗⴘⴙⴚⴛⴜⴝⴞⴟⴠⴡⴢⴣⴤⴥfffiflffifflſtstﬓﬔﬕﬖﬗ\d-_^]";
15+
var evilRegExp:RegExp = new RegExp(utf8RegExp);
16+
evilRegExp.exec("Hello World");
17+
// If testcase runs then we are good, previously this would crash
18+
Assert.expectEq(
19+
"CVE-2008-0674",
20+
true,
21+
true
22+
);
23+
24+
25+
// CVE-2008-2371 begins with an option and contains multiple branches.
26+
var optionsRegExp:String = "(?i)[\xc3\xa9\xc3\xbd]|[\xc3\xa9\xc3\xbdA]";
27+
var evilRegExp2:RegExp = new RegExp(optionsRegExp);
28+
evilRegExp2.exec("Hello World");
29+
// If testcase runs then we are good, previously this would crash
30+
Assert.expectEq(
31+
"CVE-2008-2371",
32+
true,
33+
true
34+
);
35+

tests/tests/swfs/from_avmplus/regress/security/bug_550269/config.xml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
<flex-config>
2+
<compiler>
3+
<source-path>
4+
<path-element>.</path-element>
5+
<path-element>../../../lib</path-element>
6+
</source-path>
7+
<debug>false</debug>
8+
<omit-trace-statements>false</omit-trace-statements>
9+
<show-actionscript-warnings>false</show-actionscript-warnings>
10+
<strict>false</strict>
11+
</compiler>
12+
<output>test.swf</output>
13+
</flex-config>

tests/tests/swfs/from_avmplus/regress/security/bug_550269/output.txt

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
CVE-2008-0674 PASSED!
2+
CVE-2008-2371 PASSED!

tests/tests/swfs/from_avmplus/regress/security/bug_550269/test.swf

6.73 KB
Binary file not shown.

tests/tests/swfs/from_avmplus/regress/security/bug_550269/test.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
num_ticks = 1

tests/tests/swfs/from_avmplus/regress/security/bug_663469/Test.as

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
/* This Source Code Form is subject to the terms of the Mozilla Public
2+
* License, v. 2.0. If a copy of the MPL was not distributed with this
3+
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4+
package {import flash.display.MovieClip; public class Test extends MovieClip {}}
5+
6+
7+
import com.adobe.test.Assert;
8+
// var SECTION = "regress_663469";
9+
// var VERSION = "AS3";
10+
// var TITLE = "restArgs optimization needs error checking for double-atom case";
11+
// var bug = "663469";
12+
13+
14+
function runTest(...args)
15+
{
16+
// sample a variety of integers that are out of range, *and*
17+
// too large to fit into kIntptrType atom on 32-bit builds.
18+
// (Some may happen to not crash, depending on memory layout,
19+
// but all are accessing undefined memory.)
20+
var idx:int;
21+
idx = 0x1fffffff; Assert.expectEq("args["+String(idx)+"]","undefined",String(args[idx]));
22+
idx = 0x2fffffff; Assert.expectEq("args["+String(idx)+"]","undefined",String(args[idx]));
23+
idx = 0x7fffffff; Assert.expectEq("args["+String(idx)+"]","undefined",String(args[idx]));
24+
idx = 0xdeadbeef; Assert.expectEq("args["+String(idx)+"]","undefined",String(args[idx]));
25+
idx = 0x5DCD64BA; Assert.expectEq("args["+String(idx)+"]","undefined",String(args[idx]));
26+
}
27+
function doRunTest()
28+
{
29+
// must call runTest() from a jitted method
30+
runTest();
31+
}
32+
doRunTest();
33+
34+
35+

tests/tests/swfs/from_avmplus/regress/security/bug_663469/config.xml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
<flex-config>
2+
<compiler>
3+
<source-path>
4+
<path-element>.</path-element>
5+
<path-element>../../../lib</path-element>
6+
</source-path>
7+
<debug>false</debug>
8+
<omit-trace-statements>false</omit-trace-statements>
9+
<show-actionscript-warnings>false</show-actionscript-warnings>
10+
<strict>false</strict>
11+
</compiler>
12+
<output>test.swf</output>
13+
</flex-config>

tests/tests/swfs/from_avmplus/regress/security/bug_663469/output.txt

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
args[536870911] PASSED!
2+
args[805306367] PASSED!
3+
args[2147483647] PASSED!
4+
args[-559038737] PASSED!
5+
args[1573741754] PASSED!

tests/tests/swfs/from_avmplus/regress/security/bug_663469/test.swf

2.42 KB
Binary file not shown.

tests/tests/swfs/from_avmplus/regress/security/bug_663469/test.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
num_ticks = 1

0 commit comments

Comments
 (0)