[Swftools-common] swftools-0.9.0 bug report

Ildar Isaev Fri, 18 Sep 2009 08:54:26 -0700

I am using swftools-0.9.0 downloaded from http://www.swftools.org/swftools-0.9.0.tar.gz.

It is possible to create an input file (some examples attached) which causes swfdump to crash with segmentation fault. This is how gdb output looks:


u...@machine:$ gdb --args swftools-0.9.0/inst/bin/swfdump --full exploit_180
...
This GDB was configured as "i486-linux-gnu"...
(gdb) run
Starting program: swftools-0.9.0/inst/bin/swfdump --full exploit_180
[Thread debugging using libthread_db enabled]
[New Thread 0x402e76c0 (LWP 31923)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x402e76c0 (LWP 31923)]
0x0805dd26 in swf_GetU32 (t=0x99475e8) at rfxswf.c:127
127      res = t->data[t->pos]        | (t->data[t->pos+1]<<8) |
(gdb) p t->data
$1 = (U8 *) 0x0
(gdb) bt
#0  0x0805dd26 in swf_GetU32 (t=0x99475e8) at rfxswf.c:127

#1 0x0805eae0 in swf_ReadSWF2 (reader=0xbff613b0, swf=0x80ab960) at rfxswf.c:1478

#2  0x0805eb6f in swf_ReadSWF (handle=5, swf=0x80ab960) at rfxswf.c:1507
#3  0x0804d14c in main (argc=-1074391100, argv=0xbff617c4) at swfdump.c:1026


One can see that t->data, which is NULL, is dereferenced at rfxswf.c:127

Best regards,
Ildar

exploit_180
Description: Binary data

exploit_20
Description: Binary data

[Swftools-common] swftools-0.9.0 bug report

Reply via email to