Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-buffer-overflow exit in swf5lex() at lib/lex.swf5.c:1321 #213

Open
Diggingwei opened this issue Jan 10, 2024 · 0 comments
Open

heap-buffer-overflow exit in swf5lex() at lib/lex.swf5.c:1321 #213

Diggingwei opened this issue Jan 10, 2024 · 0 comments

Comments

@Diggingwei
Copy link

Diggingwei commented Jan 10, 2024
edited
Loading

Summary

A heap-buffer-overflow caused when using swfc, which results in out-of-bounds write.

Version

$ ./swfc -V
swfc - part of swftools 0.9.2
$ git log --oneline -1
772e55a2 (HEAD, origin/master, origin/HEAD, master)

Platform

$ uname -a
Linux 1cc373898f58 5.4.0-150-generic #167~18.04.1-Ubuntu SMP Wed May 24 00:51:42 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
clang version : 12.0.0

Reproduce

PoC : poc.zip
Command Line : ./swfc poc

Debug Info

==50670==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6290000000d9 at pc 0x0000007bbe80 bp 0x7fffffffc270 sp 0x7fffffffc268
WRITE of size 1 at 0x6290000000d9 thread T0
    #0 0x7bbe7f in swf5lex /src/project/swftools_project/swftools/lib/lex.swf5.c:1321:10
    #1 0x7f0ec6 in swf5parse /src/project/swftools_project/swftools/lib/swf5compiler.tab.c:3061:16
    #2 0x67fe3d in compileSWFActionCode /src/project/swftools_project/swftools/lib/action/actioncompiler.c:90:6
    #3 0x58fb43 in swf_ActionCompile /src/project/swftools_project/swftools/lib/modules/swfaction.c:1111:11
    #4 0x5005d5 in s_action /src/project/swftools_project/swftools/src/swfc.c:1966:13
    #5 0x541fd0 in c_action /src/project/swftools_project/swftools/src/swfc.c
    #6 0x51b3ad in parseArgumentsForCommand /src/project/swftools_project/swftools/src/swfc.c:4475:5
    #7 0x51b3ad in main /src/project/swftools_project/swftools/src/swfc.c:4598:2
    #8 0x7ffff7c39082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #9 0x41d61d in _start (/src/project/swftools_project/swftools/src/swfc+0x41d61d)
0x6290000000d9 is located 295 bytes to the left of 16386-byte region [0x629000000200,0x629000004202)
freed by thread T0 here:
    #0 0x498612 in free (/src/project/swftools_project/swftools/src/swfc+0x498612)
    #1 0x4e8c6e in yyfree /src/project/swftools_project/swftools/src/parser.yy.c:2217:2
    #2 0x4e8c6e in yy_delete_buffer /src/project/swftools_project/swftools/src/parser.yy.c:1759:3
    #3 0x4e8c6e in generateTokens /src/project/swftools_project/swftools/src/parser.lex:315:5
    #4 0x51aa9d in main /src/project/swftools_project/swftools/src/swfc.c:4585:12
    #5 0x7ffff7c39082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)

previously allocated by thread T0 here:
    #0 0x49887d in malloc (/src/project/swftools_project/swftools/src/swfc+0x49887d)    
    #1 0x4db8e7 in yyalloc /src/project/swftools_project/swftools/src/parser.yy.c:2200:18
    #2 0x4db8e7 in yy_create_buffer /src/project/swftools_project/swftools/src/parser.yy.c:1734:26

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/project/swftools_project/swftools/lib/lex.swf5.c:1321:10 in swf5lex
Shadow bytes around the buggy address:
  0x0c527fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c527fff8010: fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa
  0x0c527fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c527fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c527fff8060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==50670==ABORTING
@Diggingwei Diggingwei changed the title heap-buffer-overflow exit in swf5lex() at lex.swf5.c:1321 heap-buffer-overflow exit in swf5lex() at lib/lex.swf5.c:1321 Jan 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Diggingwei