Hello, I'm Michael Ermakov, a member of the team developing Avalanche, a dynamic defect detection tool ( http://code.google.com/p/avalanche/).
Out tool found several inputs that cause a segmentation fault in swfdump (swftools-0.9.1 from http://www.swftools.org/swftools-0.9.1.tar.gz). gdb output: user@machine:$ gdb --args ./swftools-0.9.1/inst/bin/swfdump swftools-0.9.1/swfdump_exploit GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i486-linux-gnu"... (gdb) r Starting program: swftools-0.9.1/inst/bin/swfdump swftools-0.9.1/swfdump_exploit [Thread debugging using libthread_db enabled] ==== Error: Real Filesize (712) doesn't match header Filesize (0) ==== [HEADER] File version: 0 [HEADER] File size: 0 [HEADER] Frame rate: 0.000000 [HEADER] Frame count: 0 [HEADER] Movie width: 0.00 [HEADER] Movie height: 0.00 [New Thread 0xb753a6b0 (LWP 18489)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb753a6b0 (LWP 18489)] 0x0804d459 in main (argc=-1081959324, argv=0x0) at swfdump.c:1283 1283 if(tag->data[0]&1) (gdb) p tag->data $1 = (U8 *) 0x0 tag->data has NULL value and is dereferenced causing segmentation fault. Input file is attached. Hope this helps! Best regards, Michael
swfdump_exploit
Description: Binary data
