Headline
CVE-2021-42199: heap-buffer-overflow exists in the function swf_FontExtract_DefineTextCallback in swftext.c · Issue #173 · matthiaskramm/swftools
An issue was discovered in swftools through 20201222. A heap buffer overflow exists in the function swf_FontExtract_DefineTextCallback() located in swftext.c. It allows an attacker to cause code execution.
system info
Ubuntu x86_64, clang 6.0, swfdump (latest master a9d5082)
Command line
./src/swfdump -D @@
AddressSanitizer output
==29246==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61600000ffa0 at pc 0x00000044059d bp 0x7fffffffd270 sp 0x7fffffffd260
WRITE of size 2 at 0x61600000ffa0 thread T0
#0 0x44059c in swf_FontExtract_DefineTextCallback modules/swftext.c:508
#1 0x449c46 in swf_FontExtract_DefineText modules/swftext.c:532
#2 0x44a355 in swf_FontExtract modules/swftext.c:617
#3 0x40c2dc in fontcallback2 /test/swftools-asan/src/swfdump.c:941
#4 0x4433c6 in swf_FontEnumerate modules/swftext.c:133
#5 0x409208 in main /test/swftools-asan/src/swfdump.c:1296
#6 0x7ffff68a683f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
#7 0x40c168 in _start (/test/swftools-asan/src/swfdump+0x40c168)
AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow modules/swftext.c:508 swf_FontExtract_DefineTextCallback
Shadow bytes around the buggy address:
0x0c2c7fff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff9fd0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c2c7fff9fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2c7fff9ff0: fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fffa040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==29246==ABORTING
POC
swf_FontExtract_DefineTextCallback_poc