swftools icon indicating copy to clipboard operation
swftools copied to clipboard
verified publisher icon matthiaskramm

heap-buffer-overflow exit in swf5lex() at lib/lex.swf5.c:1321

Open Diggingwei opened this issue 2 years ago • 1 comments

Summary

A heap-buffer-overflow caused when using swfc, which results in out-of-bounds write.

Version

$ ./swfc -V
swfc - part of swftools 0.9.2
$ git log --oneline -1
772e55a2 (HEAD, origin/master, origin/HEAD, master)

Platform

$ uname -a
Linux 1cc373898f58 5.4.0-150-generic #167~18.04.1-Ubuntu SMP Wed May 24 00:51:42 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
clang version : 12.0.0

Reproduce

PoC : poc.zip Command Line : ./swfc poc

Debug Info

==50670==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6290000000d9 at pc 0x0000007bbe80 bp 0x7fffffffc270 sp 0x7fffffffc268
WRITE of size 1 at 0x6290000000d9 thread T0
    #0 0x7bbe7f in swf5lex /src/project/swftools_project/swftools/lib/lex.swf5.c:1321:10
    #1 0x7f0ec6 in swf5parse /src/project/swftools_project/swftools/lib/swf5compiler.tab.c:3061:16
    #2 0x67fe3d in compileSWFActionCode /src/project/swftools_project/swftools/lib/action/actioncompiler.c:90:6
    #3 0x58fb43 in swf_ActionCompile /src/project/swftools_project/swftools/lib/modules/swfaction.c:1111:11
    #4 0x5005d5 in s_action /src/project/swftools_project/swftools/src/swfc.c:1966:13
    #5 0x541fd0 in c_action /src/project/swftools_project/swftools/src/swfc.c
    #6 0x51b3ad in parseArgumentsForCommand /src/project/swftools_project/swftools/src/swfc.c:4475:5
    #7 0x51b3ad in main /src/project/swftools_project/swftools/src/swfc.c:4598:2
    #8 0x7ffff7c39082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #9 0x41d61d in _start (/src/project/swftools_project/swftools/src/swfc+0x41d61d)
0x6290000000d9 is located 295 bytes to the left of 16386-byte region [0x629000000200,0x629000004202)
freed by thread T0 here:
    #0 0x498612 in free (/src/project/swftools_project/swftools/src/swfc+0x498612)
    #1 0x4e8c6e in yyfree /src/project/swftools_project/swftools/src/parser.yy.c:2217:2
    #2 0x4e8c6e in yy_delete_buffer /src/project/swftools_project/swftools/src/parser.yy.c:1759:3
    #3 0x4e8c6e in generateTokens /src/project/swftools_project/swftools/src/parser.lex:315:5
    #4 0x51aa9d in main /src/project/swftools_project/swftools/src/swfc.c:4585:12
    #5 0x7ffff7c39082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)

previously allocated by thread T0 here:
    #0 0x49887d in malloc (/src/project/swftools_project/swftools/src/swfc+0x49887d)    
    #1 0x4db8e7 in yyalloc /src/project/swftools_project/swftools/src/parser.yy.c:2200:18
    #2 0x4db8e7 in yy_create_buffer /src/project/swftools_project/swftools/src/parser.yy.c:1734:26

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/project/swftools_project/swftools/lib/lex.swf5.c:1321:10 in swf5lex
Shadow bytes around the buggy address:
  0x0c527fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c527fff8010: fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa
  0x0c527fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c527fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c527fff8060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==50670==ABORTING

Diggingwei avatar Jan 10 '24 12:01 Diggingwei

hello~ when I reproduce this bug, it echo these message as follow:

$ ./swfc ../../poc 
"../../poc", line 3 column 17: warning- Couldn't open file "cxform.swf": No such file or directory
error: 
Line 8: Reason: 'Unexpected EOF found while looking for input.'
"../../poc", line 6 column 12: error- Couldn't compile ActionScript

Is it success or not?

kittener avatar Oct 11 '24 15:10 kittener