libdwarf 0.4.0 has a heap-based buffer over-read in _dwarf_check_string_valid in dwarf_util.c.

CVE-2022-32200: DA's Libdwarf Vulnerabilities

An issue was discovered in swftools through 20201222. A heap-buffer-overflow exists in the function swf_GetBits() located in rfxswf.c. It allows an attacker to cause code execution.

**system info**

Ubuntu x86\_64, clang 6.0, swfdump (latest master a9d5082)

**Command line**

./src/swfdump -D @@

**AddressSanitizer output**

\==28613==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000efdf at pc 0x00000047238d bp 0x7fffffffdbe0 sp 0x7fffffffdbd0  
READ of size 1 at 0x60300000efdf thread T0  
#0 0x47238c in swf\_GetBits /test/swftools-asan/lib/rfxswf.c:213  
#1 0x4346cc in swf\_GetSimpleShape modules/swfshape.c:66  
#2 0x443fbc in swf\_FontExtract\_DefineFont modules/swftext.c:163  
#3 0x44a096 in swf\_FontExtract modules/swftext.c:597  
#4 0x40c2dc in fontcallback2 /test/swftools-asan/src/swfdump.c:941  
#5 0x4433c6 in swf\_FontEnumerate modules/swftext.c:133  
#6 0x409208 in main /test/swftools-asan/src/swfdump.c:1296  
#7 0x7ffff68a683f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)  
#8 0x40c168 in \_start (/test/swftools-asan/src/swfdump+0x40c168)

0x60300000efdf is located 1 bytes to the left of 22-byte region \[0x60300000efe0,0x60300000eff6)  
allocated by thread T0 here:  
#0 0x7ffff6f02602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)  
#1 0x532fa7 in rfx\_alloc /test/swftools-asan/lib/mem.c:30  
#2 0x541396 (/test/swftools-asan/src/swfdump+0x541396)

SUMMARY: AddressSanitizer: heap-buffer-overflow /test/swftools-asan/lib/rfxswf.c:213 swf\_GetBits  
Shadow bytes around the buggy address:  
0x0c067fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
\=>0x0c067fff9df0: fa fa fa fa fa fa fd fd fd fd fa\[fa\]00 00 06 fa  
0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Heap right redzone: fb  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack partial redzone: f4  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
\==28613==ABORTING

POC  
swf\_GetBits\_bof\_poc

CVE-2021-42204: heap-buffer-overflow exists in the function swf_GetBits in rfxswf.c · Issue #169 · matthiaskramm/swftools

An issue was discovered in swftools through 20201222. A heap-use-after-free exists in the function swf_FontExtract_DefineTextCallback() located in swftext.c. It allows an attacker to cause code execution.

**system info**

Ubuntu x86\_64, clang 6.0, swfdump (latest master a9d5082)

**Command line**

./src/swfdump -D @@

**AddressSanitizer output**

\==25679==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600000d6a0 at pc 0x00000044059d bp 0x7fffffffd270 sp 0x7fffffffd260  
WRITE of size 2 at 0x60600000d6a0 thread T0  
#0 0x44059c in swf\_FontExtract\_DefineTextCallback modules/swftext.c:508  
#1 0x449c46 in swf\_FontExtract\_DefineText modules/swftext.c:532  
#2 0x44a355 in swf\_FontExtract modules/swftext.c:617  
#3 0x40c2dc in fontcallback2 /test/swftools-asan/src/swfdump.c:941  
#4 0x4433c6 in swf\_FontEnumerate modules/swftext.c:133  
#5 0x409208 in main /test/swftools-asan/src/swfdump.c:1296  
#6 0x7ffff68a683f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)  
#7 0x40c168 in \_start (/test/swftools-asan/src/swfdump+0x40c168)

0x60600000d6a0 is located 0 bytes inside of 56-byte region \[0x60600000d6a0,0x60600000d6d8)  
freed by thread T0 here:  
#0 0x7ffff6f022ca in \_\_interceptor\_free (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x982ca)  
#1 0x47db2c in swf\_ReadTag /test/swftools-asan/lib/rfxswf.c:1234  
#2 0x541396 (/test/swftools-asan/src/swfdump+0x541396)

previously allocated by thread T0 here:  
#0 0x7ffff6f0279a in \_\_interceptor\_calloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x9879a)  
#1 0x53318c in rfx\_calloc /test/swftools-asan/lib/mem.c:69  
#2 0x541396 (/test/swftools-asan/src/swfdump+0x541396)

SUMMARY: AddressSanitizer: heap-use-after-free modules/swftext.c:508 swf\_FontExtract\_DefineTextCallback  
Shadow bytes around the buggy address:  
0x0c0c7fff9a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c0c7fff9a90: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 fa  
0x0c0c7fff9aa0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa  
0x0c0c7fff9ab0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00  
0x0c0c7fff9ac0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00  
\=>0x0c0c7fff9ad0: fa fa fa fa\[fd\]fd fd fd fd fd fd fa fa fa fa fa  
0x0c0c7fff9ae0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00  
0x0c0c7fff9af0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa  
0x0c0c7fff9b00: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa  
0x0c0c7fff9b10: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00  
0x0c0c7fff9b20: 00 00 00 04 fa fa fa fa 00 00 00 00 00 00 00 fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Heap right redzone: fb  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack partial redzone: f4  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
\==25679==ABORTING

POC  
swf\_FontExtract\_DefineTextCallback\_uaf\_poc

CVE-2021-42203: heap-use-after-free exists in the function swf_FontExtract_DefineTextCallback in swftext.c · Issue #176 · matthiaskramm/swftools

An issue was discovered in swftools through 20201222. A NULL pointer dereference exists in the function traits_parse() located in abc.c. It allows an attacker to cause Denial of Service.

**system info**

Ubuntu x86\_64, clang 6.0, swfdump (latest master a9d5082)

**Command line**

./src/swfdump -D @@

**AddressSanitizer output**

\==47344==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x000000488d17 bp 0x000000000000 sp 0x7fffffffdd20 T0)  
#0 0x488d16 in traits\_parse as3/abc.c:482  
#1 0x495d41 in swf\_ReadABC as3/abc.c:946  
#2 0x409045 in main /test/swftools-asan/src/swfdump.c:1577  
#3 0x7ffff68a683f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)  
#4 0x40c168 in \_start (/test/swftools-asan/src/swfdump+0x40c168)

AddressSanitizer can not provide additional info.  
SUMMARY: AddressSanitizer: SEGV as3/abc.c:482 traits\_parse  
\==47344==ABORTING

POC  
traits\_parse\_poc

CVE-2021-42196: A NULL pointer dereference exists in the function traits_parse  in abc.c · Issue #172 · matthiaskramm/swftools

An issue was discovered in swftools through 20201222 through a memory leak in the swftools when swfdump is used. It allows an attacker to cause code execution.

**system info**

Ubuntu x86\_64, clang 6.0, swfdump (latest master a9d5082)

**Command line**

./src/swfdump -D @@

**AddressSanitizer output**

\==43305==ERROR: LeakSanitizer: detected memory leaks

Indirect leak of 63245 byte(s) in 2 object(s) allocated from:  
#0 0x7ffff6f02602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)  
#1 0x532fa7 in rfx\_alloc /test/swftools-asan/lib/mem.c:30  
#2 0x7fffffffe2bf ()

Indirect leak of 144 byte(s) in 3 object(s) allocated from:  
#0 0x7ffff6f0279a in \_\_interceptor\_calloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x9879a)  
#1 0x53318c in rfx\_calloc /test/swftools-asan/lib/mem.c:69  
#2 0x7fffffffe2bf ()

SUMMARY: AddressSanitizer: 63389 byte(s) leaked in 5 allocation(s).

POC  
memory\_leaks\_poc

CVE-2021-42197: memory leaks in swftools when we use swfdump · Issue #177 · matthiaskramm/swftools

An issue was discovered in swftools through 20201222. A heap buffer overflow exists in the function swf_FontExtract_DefineTextCallback() located in swftext.c. It allows an attacker to cause code execution.

**system info**

Ubuntu x86\_64, clang 6.0, swfdump (latest master a9d5082)

**Command line**

./src/swfdump -D @@

**AddressSanitizer output**

\==29246==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61600000ffa0 at pc 0x00000044059d bp 0x7fffffffd270 sp 0x7fffffffd260  
WRITE of size 2 at 0x61600000ffa0 thread T0  
#0 0x44059c in swf\_FontExtract\_DefineTextCallback modules/swftext.c:508  
#1 0x449c46 in swf\_FontExtract\_DefineText modules/swftext.c:532  
#2 0x44a355 in swf\_FontExtract modules/swftext.c:617  
#3 0x40c2dc in fontcallback2 /test/swftools-asan/src/swfdump.c:941  
#4 0x4433c6 in swf\_FontEnumerate modules/swftext.c:133  
#5 0x409208 in main /test/swftools-asan/src/swfdump.c:1296  
#6 0x7ffff68a683f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)  
#7 0x40c168 in \_start (/test/swftools-asan/src/swfdump+0x40c168)

AddressSanitizer can not describe address in more detail (wild memory access suspected).  
SUMMARY: AddressSanitizer: heap-buffer-overflow modules/swftext.c:508 swf\_FontExtract\_DefineTextCallback  
Shadow bytes around the buggy address:  
0x0c2c7fff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c2c7fff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c2c7fff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c2c7fff9fd0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa  
0x0c2c7fff9fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
\=>0x0c2c7fff9ff0: fa fa fa fa\[fa\]fa fa fa fa fa fa fa fa fa fa fa  
0x0c2c7fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c2c7fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c2c7fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c2c7fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c2c7fffa040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Heap right redzone: fb  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack partial redzone: f4  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
\==29246==ABORTING  
POC  
swf\_FontExtract\_DefineTextCallback\_poc

CVE-2021-42199: heap-buffer-overflow exists in the function swf_FontExtract_DefineTextCallback  in swftext.c · Issue #173 · matthiaskramm/swftools

An issue was discovered in swftools through 20201222. A heap-buffer-overflow exists in the function swf_GetD64() located in rfxswf.c. It allows an attacker to cause code execution.

**system info**

Ubuntu x86\_64, clang 6.0, swfdump (latest master a9d5082)

**Command line**

./src/swfdump -D @@

**AddressSanitizer output**

\==8687==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000aff8 at pc 0x000000473b4e bp 0x7fffffffdc10 sp 0x7fffffffdc00  
READ of size 8 at 0x60b00000aff8 thread T0  
#0 0x473b4d in swf\_GetD64 /test/swftools-asan/lib/rfxswf.c:520  
#1 0x4a7851 in pool\_read as3/pool.c:1119  
#2 0x4935ec in swf\_ReadABC as3/abc.c:748  
#3 0x409045 in main /test/swftools-asan/src/swfdump.c:1577  
#4 0x7ffff68a683f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)  
#5 0x40c168 in \_start (/test/swftools-asan/src/swfdump+0x40c168)

0x60b00000affd is located 0 bytes to the right of 109-byte region \[0x60b00000af90,0x60b00000affd)  
allocated by thread T0 here:  
#0 0x7ffff6f02602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)  
#1 0x532fa7 in rfx\_alloc /test/swftools-asan/lib/mem.c:30  
#2 0x541396 (/test/swftools-asan/src/swfdump+0x541396)

SUMMARY: AddressSanitizer: heap-buffer-overflow /test/swftools-asan/lib/rfxswf.c:520 swf\_GetD64  
Shadow bytes around the buggy address:  
0x0c167fff95a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c167fff95b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c167fff95c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c167fff95d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c167fff95e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
\=>0x0c167fff95f0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00\[05\]  
0x0c167fff9600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c167fff9610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c167fff9620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c167fff9630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c167fff9640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Heap right redzone: fb  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack partial redzone: f4  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
\==8687==ABORTING

POC  
swf\_GetD64\_poc

CVE-2021-42201: heap-buffer-overflow exists in the function swf_GetD64 in rfxswf.c · Issue #175 · matthiaskramm/swftools

An issue was discovered in swftools through 20201222. A NULL pointer dereference exists in the function swf_GetBits() located in rfxswf.c. It allows an attacker to cause Denial of Service.

**system info**

Ubuntu x86\_64, clang 6.0, swfdump (latest master a9d5082)

**Command line**

./src/swfdump -D @@

**AddressSanitizer output**

\==41593==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000471fac bp 0x0ffffed896e0 sp 0x7fffffffdd30 T0)  
#0 0x471fab in swf\_GetBits /test/swftools-asan/lib/rfxswf.c:213  
#1 0x478bf8 in swf\_GetMatrix /test/swftools-asan/lib/rfxswf.c:867  
#2 0x414975 in handlePlaceObject /test/swftools-asan/src/swfdump.c:831  
#3 0x409acd in main /test/swftools-asan/src/swfdump.c:1604  
#4 0x7ffff68a683f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)  
#5 0x40c168 in \_start (/test/swftools-asan/src/swfdump+0x40c168)

AddressSanitizer can not provide additional info.  
SUMMARY: AddressSanitizer: SEGV /test/swftools-asan/lib/rfxswf.c:213 swf\_GetBits  
\==41593==ABORTING

POC  
swf\_GetBits\_null\_poc

CVE-2021-42198: A NULL pointer dereference exists in the function swf_GetBits in rfxswf.c · Issue #168 · matthiaskramm/swftools

An issue was discovered in swftools through 20201222. A NULL pointer dereference exists in the function swf_DeleteFilter() located in swffilter.c. It allows an attacker to cause Denial of Service.

**system info**

Ubuntu x86\_64, clang 6.0, swfdump (latest master a9d5082)

**Command line**

./src/swfdump -D @@

**AddressSanitizer output**

\==5769==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000042ba78 bp 0x000000000073 sp 0x7fffffffdea0 T0)  
#0 0x42ba77 in swf\_DeleteFilter modules/swffilter.c:290  
#1 0x40de0b in dumpButton2Actions /test/swftools-asan/src/swfdump.c:245  
#2 0x409448 in main /test/swftools-asan/src/swfdump.c:1600  
#3 0x7ffff68a683f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)  
#4 0x40c168 in \_start (/test/swftools-asan/src/swfdump+0x40c168)

AddressSanitizer can not provide additional info.  
SUMMARY: AddressSanitizer: SEGV modules/swffilter.c:290 swf\_DeleteFilter  
\==5769==ABORTING

POC  
swf\_DeleteFilter\_poc

CVE-2021-42202: A NULL pointer dereference exists in the function swf_DeleteFilter in swffilter.c · Issue #171 · matthiaskramm/swftools

An issue was discovered in swftools through 20201222. A NULL pointer dereference exists in the function main() located in swfdump.c. It allows an attacker to cause Denial of Service.

**system info**

Ubuntu x86\_64, clang 6.0, swfdump (latest master a9d5082)

**Command line**

./src/swfdump -D @@

**AddressSanitizer output**

\==1975==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000406f68 bp 0x7fffffffe3a0 sp 0x7fffffffdf30 T0)  
#0 0x406f67 in main /test/swftools-asan/src/swfdump.c:1323  
#1 0x7ffff68a683f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)  
#2 0x40c168 in \_start (/test/swftools-asan/src/swfdump+0x40c168)

AddressSanitizer can not provide additional info.  
SUMMARY: AddressSanitizer: SEGV /test/swftools-asan/src/swfdump.c:1323 main  
\==1975==ABORTING  
POC  
main\_poc

Tag

#ubuntu