You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A heap-buffer-overflow caused when using swfc, which results in out-of-bounds write.
Version
$ ./swfc -V
swfc - part of swftools 0.9.2
$ git log --oneline -1
772e55a2 (HEAD, origin/master, origin/HEAD, master)
Platform
$ uname -a
Linux 1cc373898f58 5.4.0-150-generic #167~18.04.1-Ubuntu SMP Wed May 24 00:51:42 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
clang version : 12.0.0
==50670==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6290000000d9 at pc 0x0000007bbe80 bp 0x7fffffffc270 sp 0x7fffffffc268
WRITE of size 1 at 0x6290000000d9 thread T0
#0 0x7bbe7f in swf5lex /src/project/swftools_project/swftools/lib/lex.swf5.c:1321:10
#1 0x7f0ec6 in swf5parse /src/project/swftools_project/swftools/lib/swf5compiler.tab.c:3061:16
#2 0x67fe3d in compileSWFActionCode /src/project/swftools_project/swftools/lib/action/actioncompiler.c:90:6
#3 0x58fb43 in swf_ActionCompile /src/project/swftools_project/swftools/lib/modules/swfaction.c:1111:11
#4 0x5005d5 in s_action /src/project/swftools_project/swftools/src/swfc.c:1966:13
#5 0x541fd0 in c_action /src/project/swftools_project/swftools/src/swfc.c
#6 0x51b3ad in parseArgumentsForCommand /src/project/swftools_project/swftools/src/swfc.c:4475:5
#7 0x51b3ad in main /src/project/swftools_project/swftools/src/swfc.c:4598:2
#8 0x7ffff7c39082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#9 0x41d61d in _start (/src/project/swftools_project/swftools/src/swfc+0x41d61d)
0x6290000000d9 is located 295 bytes to the left of 16386-byte region [0x629000000200,0x629000004202)
freed by thread T0 here:
#0 0x498612 in free (/src/project/swftools_project/swftools/src/swfc+0x498612)
#1 0x4e8c6e in yyfree /src/project/swftools_project/swftools/src/parser.yy.c:2217:2
#2 0x4e8c6e in yy_delete_buffer /src/project/swftools_project/swftools/src/parser.yy.c:1759:3
#3 0x4e8c6e in generateTokens /src/project/swftools_project/swftools/src/parser.lex:315:5
#4 0x51aa9d in main /src/project/swftools_project/swftools/src/swfc.c:4585:12
#5 0x7ffff7c39082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
previously allocated by thread T0 here:
#0 0x49887d in malloc (/src/project/swftools_project/swftools/src/swfc+0x49887d)
#1 0x4db8e7 in yyalloc /src/project/swftools_project/swftools/src/parser.yy.c:2200:18
#2 0x4db8e7 in yy_create_buffer /src/project/swftools_project/swftools/src/parser.yy.c:1734:26
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/project/swftools_project/swftools/lib/lex.swf5.c:1321:10 in swf5lex
Shadow bytes around the buggy address:
0x0c527fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c527fff8010: fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa
0x0c527fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c527fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c527fff8060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==50670==ABORTING
The text was updated successfully, but these errors were encountered:
Diggingwei
changed the title
heap-buffer-overflow exit in swf5lex() at lex.swf5.c:1321
heap-buffer-overflow exit in swf5lex() at lib/lex.swf5.c:1321
Jan 11, 2024
Summary
A heap-buffer-overflow caused when using swfc, which results in out-of-bounds write.
Version
Platform
Reproduce
PoC : poc.zip
Command Line :
./swfc poc
Debug Info
The text was updated successfully, but these errors were encountered: