-
Notifications
You must be signed in to change notification settings - Fork 93
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gif2swf MovieAddFrame() memcpy overflow #33
Comments
Probably due to the size mismatch of the GIF Screen & image. gif2swf handles the common case of Screen>image size correctly. |
If my guess is correct, we can fix it by cropping the image of each frame with screen size. |
Or, If the image size does not fit in the screen size, we may want to make an error. |
Crash : https://raw.githubusercontent.com/lcatro/My_PoC/master/swftools/git2swf_-r_2_-o_dev_null_-z_memory_corruption__fopen
Trigger : ./gif2swf -r 2 -o /dev/null -z swftools/git2swf_-r_2_-o_dev_null_-z_memory_corruption__fopen
Crash Detail :
fuzzer@ub16x64:~/fuzzing/swftools/src$ ./gif2swf -r 2 -o /dev/null -z swftools/git2swf_-r_2_-o_dev_null_-z_memory_corruption__fopen
==29933==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61c000006f10 at pc 0x7ff90bb97904 bp 0x7fff993b5990 sp 0x7fff993b5138
WRITE of size 60 at 0x61c000006f10 thread T0
#0 0x7ff90bb97903 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c903)
#1 0x4028b4 in MovieAddFrame (/home/fuzzer/fuzzing/swftools/src/gif2swf+0x4028b4)
#2 0x403a91 in main (/home/fuzzer/fuzzing/swftools/src/gif2swf+0x403a91)
#3 0x7ff90b0e682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x401ff8 in _start (/home/fuzzer/fuzzing/swftools/src/gif2swf+0x401ff8)
0x61c000006f10 is located 0 bytes to the right of 1680-byte region [0x61c000006880,0x61c000006f10)
allocated by thread T0 here:
#0 0x7ff90bba3602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4027d5 in MovieAddFrame (/home/fuzzer/fuzzing/swftools/src/gif2swf+0x4027d5)
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
0x0c387fff8d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c387fff8da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c387fff8db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c387fff8dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c387fff8dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c387fff8de0: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c387fff8df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c387fff8e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c387fff8e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c387fff8e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c387fff8e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==29933==ABORTING
The text was updated successfully, but these errors were encountered: