Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEGV in swftocxx (Version 0.4.9) #244

Open
WorldExecute opened this issue Aug 14, 2022 · 0 comments
Open

SEGV in swftocxx (Version 0.4.9) #244

WorldExecute opened this issue Aug 14, 2022 · 0 comments

Comments

@WorldExecute
Copy link

WorldExecute commented Aug 14, 2022
edited

Hi, i find 5 SEGV in swftocxx . I saved my test files here.

Bug Description

I apply ASan (Address Sanitizer ) to check for address errors and the error report is as follows.

test_1:
header indicates a filesize of 453464577 but filesize is 377
 Stream out of sync after parse of blocktype 64 (SWF_ENABLEDEBUGGER2). 18 but expecting 22.
 CharacterEndFlag in DefineButton2 != 0Failed to find branch target!!!
Looking for: 65600

parseSWF_BUTTONCONDACTION: expected actionEnd flag
 Stream out of sync after parse of blocktype 34 (SWF_DEFINEBUTTON2). 133 but expecting 55.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==228291==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x0000004fcce3 bp 0x000001033150 sp 0x7ffefcf2a250 T0)
==228291==The signal is caused by a READ memory access.
==228291==Hint: address points to the zero page.
    #0 0x4fcce3 in getName ./libming/util/decompile.c:424:15
    #1 0x4e9595 in decompileRETURN ./libming/util/decompile.c:1921:3
    #2 0x4d7496 in decompileAction ./libming/util/decompile.c
    #3 0x4fc41c in decompileActions ./libming/util/decompile.c:3535:6
    #4 0x4fc41c in decompile5Action ./libming/util/decompile.c:3558:2
    #5 0x4c8d26 in outputSWF_DEFINEBUTTON2 ./libming/util/outputscript.c:932:2
    #6 0x4d1f13 in readMovie ./libming/util/main.c:281:4
    #7 0x4d1f13 in main ./libming/util/main.c:354:2
    #8 0x7f1159056082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #9 0x41c48d in _start (./install-asan/bin/swftocxx+0x41c48d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ./libming/util/decompile.c:424:15 in getName
==228291==ABORTING

test_2:
header indicates a filesize of 117920624 but filesize is 203
 Stream out of sync after parse of blocktype 28 (SWF_REMOVEOBJECT2). 26 but expecting 31.
 Stream out of sync after parse of blocktype 12 (SWF_DOACTION). 99 but expecting 40.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==228507==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x0000004e7b6a bp 0x000000000140 sp 0x7ffcef31c7b0 T0)
==228507==The signal is caused by a READ memory access.
==228507==Hint: address points to the zero page.
    #0 0x4e7b6a in decompileINCR_DECR ./libming/util/decompile.c:1640:65
    #1 0x4d49d6 in decompileAction ./libming/util/decompile.c:3356:10
    #2 0x4ed65b in decompileActions ./libming/util/decompile.c:3535:6
    #3 0x4ed65b in decompileIF ./libming/util/decompile.c:2699:4
    #4 0x4ed65b in decompileActions ./libming/util/decompile.c:3535:6
    #5 0x4ed65b in decompileIF ./libming/util/decompile.c:2699:4
    #6 0x4ed65b in decompileActions ./libming/util/decompile.c:3535:6
    #7 0x4ed65b in decompileIF ./libming/util/decompile.c:2699:4
    #8 0x4ed65b in decompileActions ./libming/util/decompile.c:3535:6
    #9 0x4ed65b in decompileIF ./libming/util/decompile.c:2699:4
    #10 0x4fc41c in decompileActions ./libming/util/decompile.c:3535:6
    #11 0x4fc41c in decompile5Action ./libming/util/decompile.c:3558:2
    #12 0x4ce29f in outputSWF_DOACTION ./libming/util/outputscript.c:1552:29
    #13 0x4d1f13 in readMovie ./libming/util/main.c:281:4
    #14 0x4d1f13 in main ./libming/util/main.c:354:2
    #15 0x7fbd92048082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #16 0x41c48d in _start (./install-asan/bin/swftocxx+0x41c48d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ./libming/util/decompile.c:1640:65 in decompileINCR_DECR
==228507==ABORTING

test_3:
header indicates a filesize of 117920368 but filesize is 332
Failed to find branch target!!!
Looking for: -22996

Failed to find branch target!!!
Looking for: 34

parseSWF_BUTTONCONDACTION: expected actionEnd flag
 Stream out of sync after parse of blocktype 34 (SWF_DEFINEBUTTON2). 332 but expecting 55.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==228525==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004fcf5c bp 0x000001033150 sp 0x7ffc2bbbc420 T0)
==228525==The signal is caused by a READ memory access.
==228525==Hint: address points to the zero page.
    #0 0x4fcf5c in getName ./libming/util/decompile.c:457:22
    #1 0x4ed3ba in decompileIF ./libming/util/decompile.c:2647:3
    #2 0x4effbc in decompileActions ./libming/util/decompile.c:3535:6
    #3 0x4effbc in decompile_SWITCH ./libming/util/decompile.c:2278:4
    #4 0x4effbc in decompileIF ./libming/util/decompile.c:2637:6
    #5 0x4effbc in decompileActions ./libming/util/decompile.c:3535:6
    #6 0x4effbc in decompile_SWITCH ./libming/util/decompile.c:2278:4
    #7 0x4effbc in decompileIF ./libming/util/decompile.c:2637:6
    #8 0x4effbc in decompileActions ./libming/util/decompile.c:3535:6
    #9 0x4effbc in decompile_SWITCH ./libming/util/decompile.c:2278:4
    #10 0x4effbc in decompileIF ./libming/util/decompile.c:2637:6
    #11 0x4effbc in decompileActions ./libming/util/decompile.c:3535:6
    #12 0x4effbc in decompile_SWITCH ./libming/util/decompile.c:2278:4
    #13 0x4effbc in decompileIF ./libming/util/decompile.c:2637:6
    #14 0x4effbc in decompileActions ./libming/util/decompile.c:3535:6
    #15 0x4effbc in decompile_SWITCH ./libming/util/decompile.c:2278:4
    #16 0x4effbc in decompileIF ./libming/util/decompile.c:2637:6
    #17 0x4effbc in decompileActions ./libming/util/decompile.c:3535:6
    #18 0x4effbc in decompile_SWITCH ./libming/util/decompile.c:2278:4
    #19 0x4effbc in decompileIF ./libming/util/decompile.c:2637:6
    #20 0x4effbc in decompileActions ./libming/util/decompile.c:3535:6
    #21 0x4effbc in decompile_SWITCH ./libming/util/decompile.c:2278:4
    #22 0x4effbc in decompileIF ./libming/util/decompile.c:2637:6
    #23 0x4effbc in decompileActions ./libming/util/decompile.c:3535:6
    #24 0x4effbc in decompile_SWITCH ./libming/util/decompile.c:2278:4
    #25 0x4effbc in decompileIF ./libming/util/decompile.c:2637:6
    #26 0x4effbc in decompileActions ./libming/util/decompile.c:3535:6
    #27 0x4effbc in decompile_SWITCH ./libming/util/decompile.c:2278:4
    #28 0x4effbc in decompileIF ./libming/util/decompile.c:2637:6
    #29 0x4effbc in decompileActions ./libming/util/decompile.c:3535:6
    #30 0x4effbc in decompile_SWITCH ./libming/util/decompile.c:2278:4
    #31 0x4effbc in decompileIF ./libming/util/decompile.c:2637:6
    #32 0x4effbc in decompileActions ./libming/util/decompile.c:3535:6
    #33 0x4effbc in decompile_SWITCH ./libming/util/decompile.c:2278:4
    #34 0x4effbc in decompileIF ./libming/util/decompile.c:2637:6
    #35 0x4effbc in decompileActions ./libming/util/decompile.c:3535:6
    #36 0x4effbc in decompile_SWITCH ./libming/util/decompile.c:2278:4
    #37 0x4effbc in decompileIF ./libming/util/decompile.c:2637:6
    #38 0x4effbc in decompileActions ./libming/util/decompile.c:3535:6
    #39 0x4effbc in decompile_SWITCH ./libming/util/decompile.c:2278:4
    #40 0x4effbc in decompileIF ./libming/util/decompile.c:2637:6
    #41 0x4effbc in decompileActions ./libming/util/decompile.c:3535:6
    #42 0x4effbc in decompile_SWITCH ./libming/util/decompile.c:2278:4
    #43 0x4effbc in decompileIF ./libming/util/decompile.c:2637:6
    #44 0x4effbc in decompileActions ./libming/util/decompile.c:3535:6
    #45 0x4effbc in decompile_SWITCH ./libming/util/decompile.c:2278:4
    #46 0x4effbc in decompileIF ./libming/util/decompile.c:2637:6
    #47 0x4effbc in decompileActions ./libming/util/decompile.c:3535:6
    #48 0x4effbc in decompile_SWITCH ./libming/util/decompile.c:2278:4
    #49 0x4effbc in decompileIF ./libming/util/decompile.c:2637:6
    #50 0x4effbc in decompileActions ./libming/util/decompile.c:3535:6
    #51 0x4effbc in decompile_SWITCH ./libming/util/decompile.c:2278:4
    #52 0x4effbc in decompileIF ./libming/util/decompile.c:2637:6
    #53 0x4fc41c in decompileActions ./libming/util/decompile.c:3535:6
    #54 0x4fc41c in decompile5Action ./libming/util/decompile.c:3558:2
    #55 0x4c8d26 in outputSWF_DEFINEBUTTON2 ./libming/util/outputscript.c:932:2
    #56 0x4d1f13 in readMovie ./libming/util/main.c:281:4
    #57 0x4d1f13 in main ./libming/util/main.c:354:2
    #58 0x7f426a492082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #59 0x41c48d in _start (./install-asan/bin/swftocxx+0x41c48d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ./libming/util/decompile.c:457:22 in getName
==228525==ABORTING

test_4:
header indicates a filesize of 117854832 but filesize is 508
Failed to find branch target!!!
Looking for: 32531

parseSWF_BUTTONCONDACTION: expected actionEnd flag
 Stream out of sync after parse of blocktype 34 (SWF_DEFINEBUTTON2). 507 but expecting 55.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==228306==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004fdd7c bp 0x7ffd4836f170 sp 0x7ffd4836f0c0 T0)
==228306==The signal is caused by a READ memory access.
==228306==Hint: address points to the zero page.
    #0 0x4fdd7c in getString ./libming/util/decompile.c:380:22
    #1 0x4f8d9f in decompileArithmeticOp ./libming/util/decompile.c
    #2 0x4effbc in decompileActions ./libming/util/decompile.c:3535:6
    #3 0x4effbc in decompile_SWITCH ./libming/util/decompile.c:2278:4
    #4 0x4effbc in decompileIF ./libming/util/decompile.c:2637:6
    #5 0x4effbc in decompileActions ./libming/util/decompile.c:3535:6
    #6 0x4effbc in decompile_SWITCH ./libming/util/decompile.c:2278:4
    #7 0x4effbc in decompileIF ./libming/util/decompile.c:2637:6
    #8 0x4fc41c in decompileActions ./libming/util/decompile.c:3535:6
    #9 0x4fc41c in decompile5Action ./libming/util/decompile.c:3558:2
    #10 0x4c8d26 in outputSWF_DEFINEBUTTON2 ./libming/util/outputscript.c:932:2
    #11 0x4d1f13 in readMovie ./libming/util/main.c:281:4
    #12 0x4d1f13 in main ./libming/util/main.c:354:2
    #13 0x7f825e5f8082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #14 0x41c48d in _start (./install-asan/bin/swftocxx+0x41c48d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ./libming/util/decompile.c:380:22 in getString
==228306==ABORTING

test_5:
header indicates a filesize of 117912176 but filesize is 975
Failed to find branch target!!!
Looking for: 32526

Failed to find branch target!!!
Looking for: 32526

Failed to find branch target!!!
Looking for: 32526

parseSWF_BUTTONCONDACTION: expected actionEnd flag
 Stream out of sync after parse of blocktype 34 (SWF_DEFINEBUTTON2). 560 but expecting 55.
  Can't get int for type: 10
AddressSanitizer:DEADLYSIGNAL
=================================================================
==228288==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004fde2b bp 0x7ffe78264770 sp 0x7ffe782646c0 T0)
==228288==The signal is caused by a READ memory access.
==228288==Hint: address points to the zero page.
    #0 0x4fde2b in getString ./libming/util/decompile.c:391:22
    #1 0x4f766f in decompileArithmeticOp ./libming/util/decompile.c
    #2 0x4effbc in decompileActions ./libming/util/decompile.c:3535:6
    #3 0x4effbc in decompile_SWITCH ./libming/util/decompile.c:2278:4
    #4 0x4effbc in decompileIF ./libming/util/decompile.c:2637:6
    #5 0x4effbc in decompileActions ./libming/util/decompile.c:3535:6
    #6 0x4effbc in decompile_SWITCH ./libming/util/decompile.c:2278:4
    #7 0x4effbc in decompileIF ./libming/util/decompile.c:2637:6
    #8 0x4fc41c in decompileActions ./libming/util/decompile.c:3535:6
    #9 0x4fc41c in decompile5Action ./libming/util/decompile.c:3558:2
    #10 0x4c8d26 in outputSWF_DEFINEBUTTON2 ./libming/util/outputscript.c:932:2
    #11 0x4d1f13 in readMovie ./libming/util/main.c:281:4
    #12 0x4d1f13 in main ./libming/util/main.c:354:2
    #13 0x7f6e45d59082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #14 0x41c48d in _start (./install-asan/bin/swftocxx+0x41c48d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ./libming/util/decompile.c:391:22 in getString
==228288==ABORTING

Steps to Reproduce

  1. Download the libming source code with the official link and build it with ASan (-fsanitize=address)
  2. Executing swftocxx with the provided input files
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@WorldExecute