swftools
swftools copied to clipboard
Published
20 hours ago •
matthiaskramm
matthiaskramm
bug report -- swfdump
1.NULL pointer dereference
env
ubuntu20.04
gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)
swfdump - part of swftools 0.9.2
sample
poc_SEGV_swf_FontExtract_DefineTextCallback
crash
./swfdump -D poc_SEGV_swf_FontExtract_DefineTextCallback
==963719==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5588f4dfd3e0 bp 0x7ffe5d0b8c80 sp 0x7ffe5d0b8b60 T0)
==963719==The signal is caused by a WRITE memory access.
==963719==Hint: address points to the zero page.
#0 0x5588f4dfd3df in swf_FontExtract_DefineTextCallback modules/swftext.c:508
#1 0x5588f4e006c2 in swf_FontExtract_DefineText modules/swftext.c:532
#2 0x5588f4e00a2a in swf_FontExtract modules/swftext.c:617
#3 0x5588f4de414e in fontcallback2 /home/ther/fuzzing/swftools-master/src/swfdump.c:941
#4 0x5588f4dfe784 in swf_FontEnumerate modules/swftext.c:133
#5 0x5588f4dea6c2 in main /home/ther/fuzzing/swftools-master/src/swfdump.c:1296
#6 0x7faf5a182082 in __libc_start_main ../csu/libc-start.c:308
#7 0x5588f4de3ced in _start (/home/ther/fuzzing/swftools-master/src/swfdump+0x23ced)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV modules/swftext.c:508 in swf_FontExtract_DefineTextCallback
==963719==ABORTING
2.NULL pointer dereference
env
ubuntu20.04
gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)
swfdump - part of swftools 0.9.2
sample
crash
./swfdump -D poc_SEGV_textcallback
==963737==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x564fa1282f2d bp 0x000000000000 sp 0x7ffe017c3e00 T0)
==963737==The signal is caused by a READ memory access.
==963737==Hint: address points to the zero page.
#0 0x564fa1282f2c in textcallback /home/ther/fuzzing/swftools-master/src/swfdump.c:409
#1 0x564fa129c55d in swf_FontExtract_DefineTextCallback modules/swftext.c:516
#2 0x564fa129f6a4 in swf_ParseDefineText modules/swftext.c:527
#3 0x564fa1284a03 in handleText /home/ther/fuzzing/swftools-master/src/swfdump.c:457
#4 0x564fa128ab62 in main /home/ther/fuzzing/swftools-master/src/swfdump.c:1520
#5 0x7f073471a082 in __libc_start_main ../csu/libc-start.c:308
#6 0x564fa1282ced in _start (/home/ther/fuzzing/swftools-master/src/swfdump+0x23ced)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ther/fuzzing/swftools-master/src/swfdump.c:409 in textcallback
==963737==ABORTING
3.stack-overflow
env
ubuntu20.04
gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)
swfdump - part of swftools 0.9.2
sample
poc_stack-overflow_constant_tostring
crash
./swfdump -D poc_stack-overflow_constant_tostring
=963740==ERROR: AddressSanitizer: stack-overflow on address 0x7ffee2312f90 (pc 0x7f8db2b9c881 bp 0x7ffee2313450 sp 0x7ffee2312ee0 T0)
#0 0x7f8db2b9c880 in __vfprintf_internal /build/glibc-SzIz7B/glibc-2.31/stdio-common/vfprintf-internal.c:1289
#1 0x7f8db2b9fea1 in buffered_vfprintf /build/glibc-SzIz7B/glibc-2.31/stdio-common/vfprintf-internal.c:2377
#2 0x7f8db2b9cd23 in __vfprintf_internal /build/glibc-SzIz7B/glibc-2.31/stdio-common/vfprintf-internal.c:1346
#3 0x7f8db2f20f88 in __interceptor_vfprintf ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1604
#4 0x7f8db2f211ce in __interceptor___fprintf_chk ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1666
#5 0x557d9ec1e2ac in fprintf /usr/include/x86_64-linux-gnu/bits/stdio2.h:100
#6 0x557d9ec1e2ac in constant_tostring as3/pool.c:778
#7 0x557d9ec147f4 in traits_dump as3/abc.c:607
#8 0x557d9ec14159 in dump_method as3/abc.c:403
#9 0x557d9ec1468e in traits_dump as3/abc.c:596
#10 0x557d9ec14159 in dump_method as3/abc.c:403
#11 0x557d9ec1468e in traits_dump as3/abc.c:596
#12 0x557d9ec14159 in dump_method as3/abc.c:403
#13 0x557d9ec1468e in traits_dump as3/abc.c:596
#14 0x557d9ec14159 in dump_method as3/abc.c:403
#15 0x557d9ec1468e in traits_dump as3/abc.c:596
#16 0x557d9ec14159 in dump_method as3/abc.c:403
#17 0x557d9ec1468e in traits_dump as3/abc.c:596
#18 0x557d9ec14159 in dump_method as3/abc.c:403
#19 0x557d9ec1468e in traits_dump as3/abc.c:596
#20 0x557d9ec14159 in dump_method as3/abc.c:403
#21 0x557d9ec1468e in traits_dump as3/abc.c:596
#22 0x557d9ec14159 in dump_method as3/abc.c:403
#23 0x557d9ec1468e in traits_dump as3/abc.c:596
#24 0x557d9ec14159 in dump_method as3/abc.c:403
#25 0x557d9ec1468e in traits_dump as3/abc.c:596
#26 0x557d9ec14159 in dump_method as3/abc.c:403
#27 0x557d9ec1468e in traits_dump as3/abc.c:596
#28 0x557d9ec14159 in dump_method as3/abc.c:403
#29 0x557d9ec1468e in traits_dump as3/abc.c:596
#30 0x557d9ec14159 in dump_method as3/abc.c:403
#31 0x557d9ec1468e in traits_dump as3/abc.c:596
#32 0x557d9ec14159 in dump_method as3/abc.c:403
#33 0x557d9ec1468e in traits_dump as3/abc.c:596
#34 0x557d9ec14159 in dump_method as3/abc.c:403
#35 0x557d9ec1468e in traits_dump as3/abc.c:596
#36 0x557d9ec14159 in dump_method as3/abc.c:403
#37 0x557d9ec1468e in traits_dump as3/abc.c:596
#38 0x557d9ec14159 in dump_method as3/abc.c:403
#39 0x557d9ec1468e in traits_dump as3/abc.c:596
#40 0x557d9ec14159 in dump_method as3/abc.c:403
#41 0x557d9ec1468e in traits_dump as3/abc.c:596
#42 0x557d9ec14159 in dump_method as3/abc.c:403
#43 0x557d9ec1468e in traits_dump as3/abc.c:596
#44 0x557d9ec14159 in dump_method as3/abc.c:403
#45 0x557d9ec1468e in traits_dump as3/abc.c:596
#46 0x557d9ec14159 in dump_method as3/abc.c:403
#47 0x557d9ec1468e in traits_dump as3/abc.c:596
#48 0x557d9ec14159 in dump_method as3/abc.c:403
#49 0x557d9ec1468e in traits_dump as3/abc.c:596
#50 0x557d9ec14159 in dump_method as3/abc.c:403
#51 0x557d9ec1468e in traits_dump as3/abc.c:596
#52 0x557d9ec14159 in dump_method as3/abc.c:403
#53 0x557d9ec1468e in traits_dump as3/abc.c:596
#54 0x557d9ec14159 in dump_method as3/abc.c:403
#55 0x557d9ec1468e in traits_dump as3/abc.c:596
#56 0x557d9ec14159 in dump_method as3/abc.c:403
#57 0x557d9ec1468e in traits_dump as3/abc.c:596
#58 0x557d9ec14159 in dump_method as3/abc.c:403
#59 0x557d9ec1468e in traits_dump as3/abc.c:596
#60 0x557d9ec14159 in dump_method as3/abc.c:403
#61 0x557d9ec1468e in traits_dump as3/abc.c:596
#62 0x557d9ec14159 in dump_method as3/abc.c:403
#63 0x557d9ec1468e in traits_dump as3/abc.c:596
#64 0x557d9ec14159 in dump_method as3/abc.c:403
#65 0x557d9ec1468e in traits_dump as3/abc.c:596
#66 0x557d9ec14159 in dump_method as3/abc.c:403
#67 0x557d9ec1468e in traits_dump as3/abc.c:596
#68 0x557d9ec14159 in dump_method as3/abc.c:403
#69 0x557d9ec1468e in traits_dump as3/abc.c:596
#70 0x557d9ec14159 in dump_method as3/abc.c:403
#71 0x557d9ec1468e in traits_dump as3/abc.c:596
#72 0x557d9ec14159 in dump_method as3/abc.c:403
#73 0x557d9ec1468e in traits_dump as3/abc.c:596
#74 0x557d9ec14159 in dump_method as3/abc.c:403
#75 0x557d9ec1468e in traits_dump as3/abc.c:596
#76 0x557d9ec14159 in dump_method as3/abc.c:403
#77 0x557d9ec1468e in traits_dump as3/abc.c:596
#78 0x557d9ec14159 in dump_method as3/abc.c:403
#79 0x557d9ec1468e in traits_dump as3/abc.c:596
#80 0x557d9ec14159 in dump_method as3/abc.c:403
#81 0x557d9ec1468e in traits_dump as3/abc.c:596
#82 0x557d9ec14159 in dump_method as3/abc.c:403
#83 0x557d9ec1468e in traits_dump as3/abc.c:596
#84 0x557d9ec14159 in dump_method as3/abc.c:403
#85 0x557d9ec1468e in traits_dump as3/abc.c:596
#86 0x557d9ec14159 in dump_method as3/abc.c:403
#87 0x557d9ec1468e in traits_dump as3/abc.c:596
#88 0x557d9ec14159 in dump_method as3/abc.c:403
#89 0x557d9ec1468e in traits_dump as3/abc.c:596
#90 0x557d9ec14159 in dump_method as3/abc.c:403
#91 0x557d9ec1468e in traits_dump as3/abc.c:596
#92 0x557d9ec14159 in dump_method as3/abc.c:403
#93 0x557d9ec1468e in traits_dump as3/abc.c:596
#94 0x557d9ec14159 in dump_method as3/abc.c:403
#95 0x557d9ec1468e in traits_dump as3/abc.c:596
#96 0x557d9ec14159 in dump_method as3/abc.c:403
#97 0x557d9ec1468e in traits_dump as3/abc.c:596
#98 0x557d9ec14159 in dump_method as3/abc.c:403
#99 0x557d9ec1468e in traits_dump as3/abc.c:596
#100 0x557d9ec14159 in dump_method as3/abc.c:403
#101 0x557d9ec1468e in traits_dump as3/abc.c:596
#102 0x557d9ec14159 in dump_method as3/abc.c:403
#103 0x557d9ec1468e in traits_dump as3/abc.c:596
#104 0x557d9ec14159 in dump_method as3/abc.c:403
#105 0x557d9ec1468e in traits_dump as3/abc.c:596
#106 0x557d9ec14159 in dump_method as3/abc.c:403
#107 0x557d9ec1468e in traits_dump as3/abc.c:596
#108 0x557d9ec14159 in dump_method as3/abc.c:403
#109 0x557d9ec1468e in traits_dump as3/abc.c:596
#110 0x557d9ec14159 in dump_method as3/abc.c:403
#111 0x557d9ec1468e in traits_dump as3/abc.c:596
#112 0x557d9ec14159 in dump_method as3/abc.c:403
#113 0x557d9ec1468e in traits_dump as3/abc.c:596
#114 0x557d9ec14159 in dump_method as3/abc.c:403
#115 0x557d9ec1468e in traits_dump as3/abc.c:596
#116 0x557d9ec14159 in dump_method as3/abc.c:403
#117 0x557d9ec1468e in traits_dump as3/abc.c:596
#118 0x557d9ec14159 in dump_method as3/abc.c:403
#119 0x557d9ec1468e in traits_dump as3/abc.c:596
#120 0x557d9ec14159 in dump_method as3/abc.c:403
#121 0x557d9ec1468e in traits_dump as3/abc.c:596
#122 0x557d9ec14159 in dump_method as3/abc.c:403
#123 0x557d9ec1468e in traits_dump as3/abc.c:596
#124 0x557d9ec14159 in dump_method as3/abc.c:403
#125 0x557d9ec1468e in traits_dump as3/abc.c:596
#126 0x557d9ec14159 in dump_method as3/abc.c:403
#127 0x557d9ec1468e in traits_dump as3/abc.c:596
#128 0x557d9ec14159 in dump_method as3/abc.c:403
#129 0x557d9ec1468e in traits_dump as3/abc.c:596
#130 0x557d9ec14159 in dump_method as3/abc.c:403
#131 0x557d9ec1468e in traits_dump as3/abc.c:596
#132 0x557d9ec14159 in dump_method as3/abc.c:403
#133 0x557d9ec1468e in traits_dump as3/abc.c:596
#134 0x557d9ec14159 in dump_method as3/abc.c:403
#135 0x557d9ec1468e in traits_dump as3/abc.c:596
#136 0x557d9ec14159 in dump_method as3/abc.c:403
#137 0x557d9ec1468e in traits_dump as3/abc.c:596
#138 0x557d9ec14159 in dump_method as3/abc.c:403
#139 0x557d9ec1468e in traits_dump as3/abc.c:596
#140 0x557d9ec14159 in dump_method as3/abc.c:403
#141 0x557d9ec1468e in traits_dump as3/abc.c:596
#142 0x557d9ec14159 in dump_method as3/abc.c:403
#143 0x557d9ec1468e in traits_dump as3/abc.c:596
#144 0x557d9ec14159 in dump_method as3/abc.c:403
#145 0x557d9ec1468e in traits_dump as3/abc.c:596
#146 0x557d9ec14159 in dump_method as3/abc.c:403
#147 0x557d9ec1468e in traits_dump as3/abc.c:596
#148 0x557d9ec14159 in dump_method as3/abc.c:403
#149 0x557d9ec1468e in traits_dump as3/abc.c:596
#150 0x557d9ec14159 in dump_method as3/abc.c:403
#151 0x557d9ec1468e in traits_dump as3/abc.c:596
#152 0x557d9ec14159 in dump_method as3/abc.c:403
#153 0x557d9ec1468e in traits_dump as3/abc.c:596
#154 0x557d9ec14159 in dump_method as3/abc.c:403
#155 0x557d9ec1468e in traits_dump as3/abc.c:596
#156 0x557d9ec14159 in dump_method as3/abc.c:403
#157 0x557d9ec1468e in traits_dump as3/abc.c:596
#158 0x557d9ec14159 in dump_method as3/abc.c:403
#159 0x557d9ec1468e in traits_dump as3/abc.c:596
#160 0x557d9ec14159 in dump_method as3/abc.c:403
#161 0x557d9ec1468e in traits_dump as3/abc.c:596
#162 0x557d9ec14159 in dump_method as3/abc.c:403
#163 0x557d9ec1468e in traits_dump as3/abc.c:596
#164 0x557d9ec14159 in dump_method as3/abc.c:403
#165 0x557d9ec1468e in traits_dump as3/abc.c:596
#166 0x557d9ec14159 in dump_method as3/abc.c:403
#167 0x557d9ec1468e in traits_dump as3/abc.c:596
#168 0x557d9ec14159 in dump_method as3/abc.c:403
#169 0x557d9ec1468e in traits_dump as3/abc.c:596
#170 0x557d9ec14159 in dump_method as3/abc.c:403
#171 0x557d9ec1468e in traits_dump as3/abc.c:596
#172 0x557d9ec14159 in dump_method as3/abc.c:403
#173 0x557d9ec1468e in traits_dump as3/abc.c:596
#174 0x557d9ec14159 in dump_method as3/abc.c:403
#175 0x557d9ec1468e in traits_dump as3/abc.c:596
#176 0x557d9ec14159 in dump_method as3/abc.c:403
#177 0x557d9ec1468e in traits_dump as3/abc.c:596
#178 0x557d9ec14159 in dump_method as3/abc.c:403
#179 0x557d9ec1468e in traits_dump as3/abc.c:596
#180 0x557d9ec14159 in dump_method as3/abc.c:403
#181 0x557d9ec1468e in traits_dump as3/abc.c:596
#182 0x557d9ec14159 in dump_method as3/abc.c:403
#183 0x557d9ec1468e in traits_dump as3/abc.c:596
#184 0x557d9ec14159 in dump_method as3/abc.c:403
#185 0x557d9ec1468e in traits_dump as3/abc.c:596
#186 0x557d9ec14159 in dump_method as3/abc.c:403
#187 0x557d9ec1468e in traits_dump as3/abc.c:596
#188 0x557d9ec14159 in dump_method as3/abc.c:403
#189 0x557d9ec1468e in traits_dump as3/abc.c:596
#190 0x557d9ec14159 in dump_method as3/abc.c:403
#191 0x557d9ec1468e in traits_dump as3/abc.c:596
#192 0x557d9ec14159 in dump_method as3/abc.c:403
#193 0x557d9ec1468e in traits_dump as3/abc.c:596
#194 0x557d9ec14159 in dump_method as3/abc.c:403
#195 0x557d9ec1468e in traits_dump as3/abc.c:596
#196 0x557d9ec14159 in dump_method as3/abc.c:403
#197 0x557d9ec1468e in traits_dump as3/abc.c:596
#198 0x557d9ec14159 in dump_method as3/abc.c:403
#199 0x557d9ec1468e in traits_dump as3/abc.c:596
#200 0x557d9ec14159 in dump_method as3/abc.c:403
#201 0x557d9ec1468e in traits_dump as3/abc.c:596
#202 0x557d9ec14159 in dump_method as3/abc.c:403
#203 0x557d9ec1468e in traits_dump as3/abc.c:596
#204 0x557d9ec14159 in dump_method as3/abc.c:403
#205 0x557d9ec1468e in traits_dump as3/abc.c:596
#206 0x557d9ec14159 in dump_method as3/abc.c:403
#207 0x557d9ec1468e in traits_dump as3/abc.c:596
#208 0x557d9ec14159 in dump_method as3/abc.c:403
#209 0x557d9ec1468e in traits_dump as3/abc.c:596
#210 0x557d9ec14159 in dump_method as3/abc.c:403
#211 0x557d9ec1468e in traits_dump as3/abc.c:596
#212 0x557d9ec14159 in dump_method as3/abc.c:403
#213 0x557d9ec1468e in traits_dump as3/abc.c:596
#214 0x557d9ec14159 in dump_method as3/abc.c:403
#215 0x557d9ec1468e in traits_dump as3/abc.c:596
#216 0x557d9ec14159 in dump_method as3/abc.c:403
#217 0x557d9ec1468e in traits_dump as3/abc.c:596
#218 0x557d9ec14159 in dump_method as3/abc.c:403
#219 0x557d9ec1468e in traits_dump as3/abc.c:596
#220 0x557d9ec14159 in dump_method as3/abc.c:403
#221 0x557d9ec1468e in traits_dump as3/abc.c:596
#222 0x557d9ec14159 in dump_method as3/abc.c:403
#223 0x557d9ec1468e in traits_dump as3/abc.c:596
#224 0x557d9ec14159 in dump_method as3/abc.c:403
#225 0x557d9ec1468e in traits_dump as3/abc.c:596
#226 0x557d9ec14159 in dump_method as3/abc.c:403
#227 0x557d9ec1468e in traits_dump as3/abc.c:596
#228 0x557d9ec14159 in dump_method as3/abc.c:403
#229 0x557d9ec1468e in traits_dump as3/abc.c:596
#230 0x557d9ec14159 in dump_method as3/abc.c:403
#231 0x557d9ec1468e in traits_dump as3/abc.c:596
#232 0x557d9ec14159 in dump_method as3/abc.c:403
#233 0x557d9ec1468e in traits_dump as3/abc.c:596
#234 0x557d9ec14159 in dump_method as3/abc.c:403
#235 0x557d9ec1468e in traits_dump as3/abc.c:596
#236 0x557d9ec14159 in dump_method as3/abc.c:403
#237 0x557d9ec1468e in traits_dump as3/abc.c:596
#238 0x557d9ec14159 in dump_method as3/abc.c:403
#239 0x557d9ec1468e in traits_dump as3/abc.c:596
#240 0x557d9ec14159 in dump_method as3/abc.c:403
#241 0x557d9ec1468e in traits_dump as3/abc.c:596
#242 0x557d9ec14159 in dump_method as3/abc.c:403
#243 0x557d9ec1468e in traits_dump as3/abc.c:596
#244 0x557d9ec14159 in dump_method as3/abc.c:403
#245 0x557d9ec1468e in traits_dump as3/abc.c:596
#246 0x557d9ec14159 in dump_method as3/abc.c:403
#247 0x557d9ec1468e in traits_dump as3/abc.c:596
#248 0x557d9ec14159 in dump_method as3/abc.c:403
#249 0x557d9ec1468e in traits_dump as3/abc.c:596
SUMMARY: AddressSanitizer: stack-overflow /build/glibc-SzIz7B/glibc-2.31/stdio-common/vfprintf-internal.c:1289 in __vfprintf_internal
==963740==ABORTING
