Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-use-after-free exit in swf_DeleteTag() at lib/rfxswf.c:1193 #215

Open
Diggingwei opened this issue Jan 10, 2024 · 0 comments
Open

heap-use-after-free exit in swf_DeleteTag() at lib/rfxswf.c:1193 #215

Diggingwei opened this issue Jan 10, 2024 · 0 comments

Comments

@Diggingwei
Copy link

Summary

A heap-use-after-free caused when using swfc, which results in out-of-bounds write.

Version

$ ./swfc -V
swfc - part of swftools 0.9.2
$ git log --oneline -1
772e55a2 (HEAD, origin/master, origin/HEAD, master)

Platform

$ uname -a
Linux 1cc373898f58 5.4.0-150-generic #167~18.04.1-Ubuntu SMP Wed May 24 00:51:42 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
clang version : 12.0.0

Reproduce

PoC : poc.zip
Command Line : ./swfc poc

Debug Info

==585==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000023860 at pc 0x000000641f43 bp 0x7fffffffe1b0 sp 0x7fffffffe1a8
WRITE of size 8 at 0x606000023860 thread T0
    #0 0x641f42 in swf_DeleteTag /src/project/swftools_project/swftools/lib/rfxswf.c:1193:30
    #1 0x50ce45 in removeFromTo /src/project/swftools_project/swftools/src/swfc.c:842:6
    #2 0x50ce45 in s_endSWF /src/project/swftools_project/swftools/src/swfc.c:1041:8    
    #3 0x50ce45 in s_end /src/project/swftools_project/swftools/src/swfc.c:2380:13
    #4 0x542aaf in c_end /src/project/swftools_project/swftools/src/swfc.c:3769:5
    #5 0x51b3ad in parseArgumentsForCommand /src/project/swftools_project/swftools/src/swfc.c:4475:5
    #6 0x51b3ad in main /src/project/swftools_project/swftools/src/swfc.c:4598:2
    #7 0x7ffff7c39082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #8 0x41d61d in _start (/src/project/swftools_project/swftools/src/swfc+0x41d61d)
0x606000023860 is located 32 bytes inside of 56-byte region [0x606000023840,0x606000023878)
freed by thread T0 here:
    #0 0x498612 in free (/src/project/swftools_project/swftools/src/swfc+0x498612)
    #1 0x657993 in swf_FreeTags /src/project/swftools_project/swftools/lib/rfxswf.c:1933:5

previously allocated by thread T0 here:
    #0 0x4989f2 in calloc (/src/project/swftools_project/swftools/src/swfc+0x4989f2)    
    #1 0x9bce08 in rfx_calloc /src/project/swftools_project/swftools/lib/mem.c:69:9

SUMMARY: AddressSanitizer: heap-use-after-free /src/project/swftools_project/swftools/lib/rfxswf.c:1193:30 in swf_DeleteTag
Shadow bytes around the buggy address:
  0x0c0c7fffc6b0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c7fffc6c0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0c7fffc6d0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c7fffc6e0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0c7fffc6f0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
=>0x0c0c7fffc700: fd fd fd fa fa fa fa fa fd fd fd fd[fd]fd fd fa
  0x0c0c7fffc710: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fffc720: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
  0x0c0c7fffc730: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c7fffc740: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c7fffc750: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==585==ABORTING
@Diggingwei Diggingwei changed the title heap-use-after-free exit in swf_DeleteTag() at rfxswf.c:1193 heap-use-after-free exit in swf_DeleteTag() at lib/rfxswf.c:1193 Jan 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Diggingwei