global-buffer-overflow exists in the function parseExpression in swftools/src/swfc.c:2587

[wuts91]

project

https://github.com/matthiaskramm/swftools
version:0.9.2

os info

Ubuntu20.04 TLS

poc

poc.zip

build

git clone https://github.com/matthiaskramm/swftools.git
cd swftools
./configure --disable-shared && make
./swftools/src/swfc ./poc

ASAN Info

=================================================================
==3086431==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000007396e0 at pc 0x0000004eabb5 bp 0x7ffd37ab4810 sp 0x7ffd37ab4808
READ of size 4 at 0x0000007396e0 thread T0
#0 0x4eabb4 in parseExpression /home/ubuntu/fuzz/swftools/swftools/src/swfc.c:2587:22
#1 0x4eabb4 in parseTwip /home/ubuntu/fuzz/swftools/swftools/src/swfc.c:2634:19
#2 0x4fa56b in c_edittext /home/ubuntu/fuzz/swftools/swftools/src/swfc.c:4097:18
#3 0x4ee709 in parseArgumentsForCommand /home/ubuntu/fuzz/swftools/swftools/src/swfc.c:4475:5
#4 0x4ee709 in main /home/ubuntu/fuzz/swftools/swftools/src/swfc.c:4598:2
#5 0x7f8305cd7082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#6 0x41d63d in _start (/home/ubuntu/fuzz/swftools/swftools/src/swfc+0x41d63d)

0x0000007396e0 is located 32 bytes to the left of global variable '' defined in 'swfc.c:3949:34' (0x739700) of size 7
'' is ascii string 'format'
0x0000007396e0 is located 26 bytes to the right of global variable '' defined in 'swfc.c:2934:40' (0x7396c0) of size 6
'' is ascii string 'slope'
SUMMARY: AddressSanitizer: global-buffer-overflow /home/ubuntu/fuzz/swftools/swftools/src/swfc.c:2587:22 in parseExpression
Shadow bytes around the buggy address:
0x0000800df280: 00 00 00 00 00 02 f9 f9 f9 f9 f9 f9 02 f9 f9 f9
0x0000800df290: f9 f9 f9 f9 00 00 00 07 f9 f9 f9 f9 00 01 f9 f9
0x0000800df2a0: f9 f9 f9 f9 00 00 00 00 02 f9 f9 f9 f9 f9 f9 f9
0x0000800df2b0: 06 f9 f9 f9 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9
0x0000800df2c0: 07 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
=>0x0000800df2d0: 00 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9[f9]f9 f9 f9
0x0000800df2e0: 07 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
0x0000800df2f0: 06 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9
0x0000800df300: 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0000800df310: 00 00 00 04 f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9
0x0000800df320: 00 01 f9 f9 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3086431==ABORTING