8000 heap-buffer-overflow exit in swf5lex() at lib/lex.swf5.c:1321 · Issue #213 · swftools/swftools · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

heap-buffer-overflow exit in swf5lex() at lib/lex.swf5.c:1321 #213

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Diggingwei opened this issue Jan 10, 2024 · 1 comment
Open

heap-buffer-overflow exit in swf5lex() at lib/lex.swf5.c:1321 #213

Diggingwei opened this issue Jan 10, 2024 · 1 comment

Comments

@Diggingwei
Copy link
Diggingwei commented Jan 10, 2024
edited
Loading

Summary

A heap-buffer-overflow caused when using swfc, which results in out-of-bounds write.

Version

$ ./swfc -V
swfc - part of swftools 0.9.2
$ git log --oneline -1
772e55a2 (HEAD, origin/master, origin/HEAD, master)

Platform

$ uname -a
Linux 1cc373898f58 5.4.0-150-generic #167~18.04.1-Ubuntu SMP Wed May 24 00:51:42 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
clang version : 12.0.0

Reproduce

PoC : poc.zip
Command Line : ./swfc poc

Debug Info

==50670==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6290000000d9 at pc 0x0000007bbe80 bp 0x7fffffffc270 sp 0x7fffffffc268
WRITE of size 1 at 0x6290000000d9 thread T0
    #0 0x7bbe7f in swf5lex /src/project/swftools_project/swftools/lib/lex.swf5.c:1321:10
    #1 0x7f0ec6 in swf5parse /src/project/swftools_project/swftools/lib/swf5compiler.tab.c:3061:16
    #2 0x67fe3d in compileSWFActionCode /src/project/swftools_project/swftools/lib/action/actioncompiler.c:90:6
    #3 0x58fb43 in swf_ActionCompile /src/project/swftools_project/swftools/lib/modules/swfaction.c:1111:11
    #4 0x5005d5 in s_action /src/project/swftools_project/swftools/src/swfc.c:1966:13
    #5 0x541fd0 in c_action /src/project/swftools_project/swftools/src/swfc.c
    #6 0x51b3ad in parseArgumentsForCommand /src/project/swftools_project/swftools/src/swfc.c:4475:5
    #7 0x51b3ad in main /src/project/swftools_project/swftools/src/swfc.c:4598:2
    #8 0x7ffff7c39082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #9 0x41d61d in _start (/src/project/swftools_project/swftools/src/swfc+0x41d61d)
0x6290000000d9 is located 295 bytes to the left of 16386-byte region [0x629000000200,0x629000004202)
freed by thread T0 here:
    #0 0x498612 in free (/src/project/swftools_project/swftools/src/swfc+0x498612)
    #1 0x4e8c6e in yyfree /src/project/swftools_project/swftools/src/parser.yy.c:2217:2
    #2 0x4e8c6e in yy_delete_buffer /src/project/swftools_project/swftools/src/parser.yy.c:1759:3
    #3 0x4e8c6e in generateTokens /src/project/swftools_project/swftools/src/parser.lex:315:5
    #4 0x51aa9d in main /src/project/swftools_project/swftools/src/swfc.c:4585:12
    #5 0x7ffff7c39082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)

previously allocated by thread T0 here:
    #0 0x49887d in malloc (/src/project/swftools_project/swftools/src/swfc+0x49887d)    
    #1 0x4db8e7 in yyalloc /src/project/swftools_project/swftools/src/parser.yy.c:2200:18
    #2 0x4db8e7 in yy_create_buffer /src/project/swftools_project/swftools/src/parser.yy.c:1734:26

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/project/swftools_project/swftools/lib/lex.swf5.c:1321:10 in swf5lex
Shadow bytes around the buggy address:
  0x0c527fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c527fff8010: fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa
  0x0c527fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c527fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c527fff8060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==50670==ABORTING
@Diggingwei Diggingwei changed the title heap-buffer-overflow exit in swf5lex() at lex.swf5.c:1321 heap-buffer-overflow exit in swf5lex() at lib/lex.swf5.c:1321 Jan 11, 2024
@kittener
Copy link

hello~ when I reproduce this bug, it echo these message as follow:

$ ./swfc ../../poc 
"../../poc", line 3 column 17: warning- Couldn't open file "cxform.swf": No such file or directory
error: 
Line 8: Reason: 'Unexpected EOF found while looking for input.'
"../../poc", line 6 column 12: error- Couldn't compile ActionScript

Is it success or not?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kittener @Diggingwei
0