You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A heap-use-after-free caused when using swfc, which results in out-of-bounds write.
Version
$ ./swfc -V
swfc - part of swftools 0.9.2
$ git log --oneline -1
772e55a2 (HEAD, origin/master, origin/HEAD, master)
Platform
$ uname -a
Linux 1cc373898f58 5.4.0-150-generic #167~18.04.1-Ubuntu SMP Wed May 24 00:51:42 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
clang version : 12.0.0
==585==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000023860 at pc 0x000000641f43 bp 0x7fffffffe1b0 sp 0x7fffffffe1a8
WRITE of size 8 at 0x606000023860 thread T0
#0 0x641f42 in swf_DeleteTag /src/project/swftools_project/swftools/lib/rfxswf.c:1193:30
#1 0x50ce45 in removeFromTo /src/project/swftools_project/swftools/src/swfc.c:842:6
#2 0x50ce45 in s_endSWF /src/project/swftools_project/swftools/src/swfc.c:1041:8
#3 0x50ce45 in s_end /src/project/swftools_project/swftools/src/swfc.c:2380:13
#4 0x542aaf in c_end /src/project/swftools_project/swftools/src/swfc.c:3769:5
#5 0x51b3ad in parseArgumentsForCommand /src/project/swftools_project/swftools/src/swfc.c:4475:5
#6 0x51b3ad in main /src/project/swftools_project/swftools/src/swfc.c:4598:2
#7 0x7ffff7c39082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#8 0x41d61d in _start (/src/project/swftools_project/swftools/src/swfc+0x41d61d)
0x606000023860 is located 32 bytes inside of 56-byte region [0x606000023840,0x606000023878)
freed by thread T0 here:
#0 0x498612 in free (/src/project/swftools_project/swftools/src/swfc+0x498612)
#1 0x657993 in swf_FreeTags /src/project/swftools_project/swftools/lib/rfxswf.c:1933:5
previously allocated by thread T0 here:
#0 0x4989f2 in calloc (/src/project/swftools_project/swftools/src/swfc+0x4989f2)
#1 0x9bce08 in rfx_calloc /src/project/swftools_project/swftools/lib/mem.c:69:9
SUMMARY: AddressSanitizer: heap-use-after-free /src/project/swftools_project/swftools/lib/rfxswf.c:1193:30 in swf_DeleteTag
Shadow bytes around the buggy address:
0x0c0c7fffc6b0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0c7fffc6c0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0c7fffc6d0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fa
0x0c0c7fffc6e0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0c7fffc6f0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
=>0x0c0c7fffc700: fd fd fd fa fa fa fa fa fd fd fd fd[fd]fd fd fa
0x0c0c7fffc710: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c0c7fffc720: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
0x0c0c7fffc730: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0c7fffc740: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c0c7fffc750: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==585==ABORTING
The text was updated successfully, but these errors were encountered:
Diggingwei
changed the title
heap-use-after-free exit in swf_DeleteTag() at rfxswf.c:1193
heap-use-after-free exit in swf_DeleteTag() at lib/rfxswf.c:1193
Jan 11, 2024
Summary
A heap-use-after-free caused when using swfc, which results in out-of-bounds write.
Version
Platform
Reproduce
PoC : poc.zip
Command Line :
./swfc poc
Debug Info
The text was updated successfully, but these errors were encountered: