Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

swf_GetBits() Address Access Except #21

Closed
lcatro opened this issue Jun 11, 2017 · 0 comments
Closed

swf_GetBits() Address Access Except #21

lcatro opened this issue Jun 11, 2017 · 0 comments

Comments

@lcatro
Copy link

lcatro commented Jun 11, 2017

crash : https://raw.githubusercontent.com/lcatro/My_PoC/master/swftools/swfdump_crash_swf_GetBit_0x451A6C_

trigger : ./swfdump swftools/swfdump_crash_swf_GetBit_0x451A6C_

Crash Detail :

`
fuzzer@ub16x64:~/fuzzing/swftools/src$ ./swfdump swftools/swfdump_crash_swf_GetBit_0x451A6C_
rfxswf: Warning: Short read (tagid 979). File truncated?
==== Error: Real Filesize (171) doesn't match header Filesize (65688) ====
[HEADER] File version: 4
[HEADER] File size: 65688
[HEADER] Frame rate: 129.000000
[HEADER] Frame count: 2
[HEADER] Movie width: 0.00
[HEADER] Movie height: 0.00
[000] 1 END
==== Error: End Tag not empty ====
[000] 0 END
==== Error: Unknown tag:0x230 ====
[230] 0 (null)
==== Error: Unknown tag:0x088 ====
[088] 6 (null)
==== Error: Unknown tag:0x274 ====
[274] 15 (null)
[008] 0 JPEGTABLES
[004] 7 PLACEOBJECT places id 0000 at depth 8c00

GetU16() out of bounds: TagID = 4
GetU16() out of bounds: TagID = 4
GetU16() out of bounds: TagID = 4
[004] 0 PLACEOBJECT places id 0000 at depth 0000
GetU16() out of bounds: TagID = 4
GetU16() out of bounds: TagID = 4
GetBits() out of bounds: TagID = 4, pos=0, len=0
ASAN:SIGSEGV

==18740==ERROR: AddressSanitizer: SEGV on unknown address 0xffffffffffffffff (pc 0x000000414cf8 bp 0x60600000ed20 sp 0x7ffd0d5218d0 T0)
#0 0x414cf7 in swf_GetBits (/home/fuzzer/fuzzing/swftools/src/swfdump+0x414cf7)
#1 0x415e0c in swf_GetMatrix (/home/fuzzer/fuzzing/swftools/src/swfdump+0x415e0c)
#2 0x403f4c in handlePlaceObject (/home/fuzzer/fuzzing/swftools/src/swfdump+0x403f4c)
#3 0x406154 in main (/home/fuzzer/fuzzing/swftools/src/swfdump+0x406154)
#4 0x7fa7f2acc82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x401998 in _start (/home/fuzzer/fuzzing/swftools/src/swfdump+0x401998)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 swf_GetBits
==18740==ABORTING
`

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant