Recently, I found an out-of-bound issue in the newest branch of swftools which can cause the segmentation fault.
This issue can be caused by a malformed PNG file though png2swf.
Attackers could exploit this issue to result n DoS and might cause arbitrary code execution.
The crash infomation is as follows.
compiled normally
$ analysis ./png2swf-test crashes_use/000004.png
[1] 56063 segmentation fault ./png2swf-test crashes_use/000004.png
compiled with CFLAGS=’-fsanitize=address’
$ analysis ./png2swf-dbg crashes_use/000004.png
==7338==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001b500 at pc 0x00000045a3fa bp 0x7fffe1841530 sp 0x7fffe1841520
WRITE of size 4 at 0x62100001b500 thread T0
#0 0x45a3f9 in png_load /home/kirito/Desktop/fuzz/swftools/swftools/lib/png.c:755 #1 0x40865e in MovieAddFrame /home/kirito/Desktop/fuzz/swftools/swftools/src/png2swf.c:491 #2 0x40af7d in main /home/kirito/Desktop/fuzz/swftools/swftools/src/png2swf.c:816 #3 0x7f943a8c282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #4 0x402838 in _start (/home/kirito/Desktop/fuzz/swftools/swftools-2013-04-09-1007/fuzz_0/analysis/png2swf-dbg+0x402838)
0x62100001b500 is located 0 bytes to the right of 4096-byte region [0x62100001a500,0x62100001b500)
allocated by thread T0 here:
#0 0x7f943b176602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x455d92 in png_load /home/kirito/Desktop/fuzz/swftools/swftools/lib/png.c:579
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/kirito/Desktop/fuzz/swftools/swftools/lib/png.c:755 png_load
Shadow bytes around the buggy address:
0x0c427fffb650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffb6a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb6b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb6c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb6d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb6e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb6f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==7338==ABORTING
The attachment is the zip package of PoC and a brief analysis. 000004.zip
The text was updated successfully, but these errors were encountered:
Recently, I found an out-of-bound issue in the newest branch of swftools which can cause the segmentation fault.
This issue can be caused by a malformed PNG file though png2swf.
Attackers could exploit this issue to result n DoS and might cause arbitrary code execution.
The crash infomation is as follows.
compiled normally
$ analysis ./png2swf-test crashes_use/000004.png
[1] 56063 segmentation fault ./png2swf-test crashes_use/000004.png
compiled with CFLAGS=’-fsanitize=address’
$ analysis ./png2swf-dbg crashes_use/000004.png
==7338==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001b500 at pc 0x00000045a3fa bp 0x7fffe1841530 sp 0x7fffe1841520
WRITE of size 4 at 0x62100001b500 thread T0
#0 0x45a3f9 in png_load /home/kirito/Desktop/fuzz/swftools/swftools/lib/png.c:755
#1 0x40865e in MovieAddFrame /home/kirito/Desktop/fuzz/swftools/swftools/src/png2swf.c:491
#2 0x40af7d in main /home/kirito/Desktop/fuzz/swftools/swftools/src/png2swf.c:816
#3 0x7f943a8c282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x402838 in _start (/home/kirito/Desktop/fuzz/swftools/swftools-2013-04-09-1007/fuzz_0/analysis/png2swf-dbg+0x402838)
0x62100001b500 is located 0 bytes to the right of 4096-byte region [0x62100001a500,0x62100001b500)
allocated by thread T0 here:
#0 0x7f943b176602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x455d92 in png_load /home/kirito/Desktop/fuzz/swftools/swftools/lib/png.c:579
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/kirito/Desktop/fuzz/swftools/swftools/lib/png.c:755 png_load
Shadow bytes around the buggy address:
0x0c427fffb650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffb6a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb6b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb6c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb6d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb6e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb6f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==7338==ABORTING
The attachment is the zip package of PoC and a brief analysis.
000004.zip
The text was updated successfully, but these errors were encountered: