swftools icon indicating copy to clipboard operation
swftools copied to clipboard

Published 20 hours ago verified publisher icon matthiaskramm

heap-use-after-free exists in the function swf_FontExtract_DefineTextCallback in swftext.c

Open cxlzff opened this issue 3 years ago • 1 comments

system info

Ubuntu x86_64, clang 6.0, swfdump (latest master a9d5082)

Command line

./src/swfdump -D @@

AddressSanitizer output

==25679==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600000d6a0 at pc 0x00000044059d bp 0x7fffffffd270 sp 0x7fffffffd260 WRITE of size 2 at 0x60600000d6a0 thread T0 #0 0x44059c in swf_FontExtract_DefineTextCallback modules/swftext.c:508 #1 0x449c46 in swf_FontExtract_DefineText modules/swftext.c:532 #2 0x44a355 in swf_FontExtract modules/swftext.c:617 #3 0x40c2dc in fontcallback2 /test/swftools-asan/src/swfdump.c:941 #4 0x4433c6 in swf_FontEnumerate modules/swftext.c:133 #5 0x409208 in main /test/swftools-asan/src/swfdump.c:1296 #6 0x7ffff68a683f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) #7 0x40c168 in _start (/test/swftools-asan/src/swfdump+0x40c168)

0x60600000d6a0 is located 0 bytes inside of 56-byte region [0x60600000d6a0,0x60600000d6d8) freed by thread T0 here: #0 0x7ffff6f022ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca) #1 0x47db2c in swf_ReadTag /test/swftools-asan/lib/rfxswf.c:1234 #2 0x541396 (/test/swftools-asan/src/swfdump+0x541396)

previously allocated by thread T0 here: #0 0x7ffff6f0279a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a) #1 0x53318c in rfx_calloc /test/swftools-asan/lib/mem.c:69 #2 0x541396 (/test/swftools-asan/src/swfdump+0x541396)

SUMMARY: AddressSanitizer: heap-use-after-free modules/swftext.c:508 swf_FontExtract_DefineTextCallback Shadow bytes around the buggy address: 0x0c0c7fff9a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9a90: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 fa 0x0c0c7fff9aa0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa 0x0c0c7fff9ab0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 0x0c0c7fff9ac0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 =>0x0c0c7fff9ad0: fa fa fa fa[fd]fd fd fd fd fd fd fa fa fa fa fa 0x0c0c7fff9ae0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 0x0c0c7fff9af0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa 0x0c0c7fff9b00: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa 0x0c0c7fff9b10: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 0x0c0c7fff9b20: 00 00 00 04 fa fa fa fa 00 00 00 00 00 00 00 fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==25679==ABORTING

POC swf_FontExtract_DefineTextCallback_uaf_poc

cxlzff avatar Oct 07 '21 13:10 cxlzff

Is it exploitable?

PavelBlinnikov avatar May 31 '22 23:05 PavelBlinnikov