Headline
CVE-2021-42204: heap-buffer-overflow exists in the function swf_GetBits in rfxswf.c · Issue #169 · matthiaskramm/swftools
An issue was discovered in swftools through 20201222. A heap-buffer-overflow exists in the function swf_GetBits() located in rfxswf.c. It allows an attacker to cause code execution.
system info
Ubuntu x86_64, clang 6.0, swfdump (latest master a9d5082)
Command line
./src/swfdump -D @@
AddressSanitizer output
==28613==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000efdf at pc 0x00000047238d bp 0x7fffffffdbe0 sp 0x7fffffffdbd0
READ of size 1 at 0x60300000efdf thread T0
#0 0x47238c in swf_GetBits /test/swftools-asan/lib/rfxswf.c:213
#1 0x4346cc in swf_GetSimpleShape modules/swfshape.c:66
#2 0x443fbc in swf_FontExtract_DefineFont modules/swftext.c:163
#3 0x44a096 in swf_FontExtract modules/swftext.c:597
#4 0x40c2dc in fontcallback2 /test/swftools-asan/src/swfdump.c:941
#5 0x4433c6 in swf_FontEnumerate modules/swftext.c:133
#6 0x409208 in main /test/swftools-asan/src/swfdump.c:1296
#7 0x7ffff68a683f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
#8 0x40c168 in _start (/test/swftools-asan/src/swfdump+0x40c168)
0x60300000efdf is located 1 bytes to the left of 22-byte region [0x60300000efe0,0x60300000eff6)
allocated by thread T0 here:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x532fa7 in rfx_alloc /test/swftools-asan/lib/mem.c:30
#2 0x541396 (/test/swftools-asan/src/swfdump+0x541396)
SUMMARY: AddressSanitizer: heap-buffer-overflow /test/swftools-asan/lib/rfxswf.c:213 swf_GetBits
Shadow bytes around the buggy address:
0x0c067fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fff9df0: fa fa fa fa fa fa fd fd fd fd fa[fa]00 00 06 fa
0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==28613==ABORTING
POC
swf_GetBits_bof_poc