matthiaskramm / swftools Goto Github PK
View Code? Open in Web Editor NEWUtilities for editing and generating Adobe Flash (SWF) files.
License: GNU General Public License v2.0
swftools's People
Stargazers
Watchers
Forkers
mietek luiseduardohdbackup zaidan rmzr7 cadewey samchild fhchina flexpaper onmore riadvice mrchnk sanyaade-crm-cms-lms scireum turchinc myvyang koodaamo pombredanne ikvm scriptmatico knowsis mems venkatarajasekhar neariot louisbrunner akash0x53 asmblur generalzgd zhangjinxing 0ca guangminglion borgified gbalint pus2inbo2ts prezi retsyo kusharami udif se7enkings yangkf1985 smile-ttxp iyuohz davebiffuk disneylucy stantoxt tencupofkaiwater alphonsetai coolwzq tielobraga lovechiba w1146869587 noraj eldk ruknow yhs0602 justforkin romache haojp mblurtonww shyamalschandra seabreg mkbiltek2019 bob9084 yoya spencer112 arbruijn 5l1v3r1 oppen carmanzhang dragonzx robert-mcdowell dekoder joshua-anderson 1xup robin840211 shihuihzh deverac zziger n-r-w rnshah9 mayhemheroes skyn9ne noise23 templain newrain7803 chaima-elbahraoui theentropyshard miguelzamora13 siralfrednobel flanter21swftools's Issues
3 bugs of png2swf
bug 1: atribute write caused by a logic bug
In function png_load, there is no check for realoc. If the result of realloc is 0, the data will be written into address zimagedatalen. We could control the value of zimagedatalen to achieve atribute write.
https://github.com/matthiaskramm/swftools/blob/392fb1f3cd9a5b167787c551615c651c3f5326f2/lib/png.c#L546
https://github.com/matthiaskramm/swftools/blob/392fb1f3cd9a5b167787c551615c651c3f5326f2/lib/png.c#L547
bug 2: crash caused by a logic bug
In fuction png_read_chunk, there is no check for malloc. If malloc failed, *destdata=0, fread will write address 0 and crash the binary.
https://github.com/matthiaskramm/swftools/blob/54657f9ba3dd4fa3e54c8f8c18f3def7a42d1f1c/src/png2swf.c#L127
https://github.com/matthiaskramm/swftools/blob/54657f9ba3dd4fa3e54c8f8c18f3def7a42d1f1c/src/png2swf.c#L130
bug 3: integer overflow -> heapoverflow
In function png_load, both header,width and header.height are 4 bytes, and alleclen_64 is 8 bytes. header,width * header.height *4 may be greater than 8 bytes, which caused integer overflow. Further can cause heap overflow.
https://github.com/matthiaskramm/swftools/blob/392fb1f3cd9a5b167787c551615c651c3f5326f2/lib/png.c#L579
A heapoverflow bug of png2swf.
A heapoverflow bug of png2swf.
poc: https://drive.google.com/open?id=10RJHlWpMJ0LVWyEqPpvODhH7tyKZbOsR
asan: https://drive.google.com/open?id=1XJI_XKtLFv7gRDPYKSvmAC5RI5sHL6_h
png_read_header
parameter a is a char type, and header->bpp is an int type
when a is 0x80, the header->app will become 0xffffff80 by the evaluate operation
when using bpp, the pos will become a really big number, which caused the heap overflow
swfc mem_put_() crash
Crash : https://raw.githubusercontent.com/lcatro/My_PoC/master/swftools/swfc_crash_mem_put_
Trigger : ./swfc swftools/swfc_crash_mem_put_
Crash Detail :
`
fuzzer@ub16x64:~/fuzzing/swftools/src$ ./swfc swftools/swfc_crash_mem_put_
==18776==ERROR: AddressSanitizer: negative-size-param: (size=-1)
#0 0x7f4914cd39a1 in _asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c9a1)
#1 0x487d52 in mem_put (/home/fuzzer/fuzzing/swftools/src/swfc+0x487d52)
#2 0x488202 in mem_putstring (/home/fuzzer/fuzzing/swftools/src/swfc+0x488202)
#3 0x402f59 in store (/home/fuzzer/fuzzing/swftools/src/swfc+0x402f59)
#4 0x4042ed in yylex (/home/fuzzer/fuzzing/swftools/src/swfc+0x4042ed)
#5 0x404f8a in generateTokens (/home/fuzzer/fuzzing/swftools/src/swfc+0x404f8a)
#6 0x411194 in main (/home/fuzzer/fuzzing/swftools/src/swfc+0x411194)
#7 0x7f491412282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#8 0x402a08 in _start (/home/fuzzer/fuzzing/swftools/src/swfc+0x402a08)
0x629000005201 is located 1 bytes inside of 16386-byte region [0x629000005200,0x629000009202)
allocated by thread T0 here:
#0 0x7f4914cdf602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x403247 in yyalloc (/home/fuzzer/fuzzing/swftools/src/swfc+0x403247)
SUMMARY: AddressSanitizer: negative-size-param ??:0 __asan_memcpy
==18776==ABORTING
`
fix a match bug in MULTILINE_COMMENT
in Line 533 of the tokenizer.lex, there is a fix that I found useful.
Hat-tip to @kamael
swfcombine swf_DeleteFilter() Null-pointer access
Trigger : ./swfcombine -t -m -G -B -v -z -f -o /dev/null swftools/swfcombine_-t-m-G-B-v-z-f-o_dev_null_swf_DeleteFilter_44EF7C
Crash Detail :
`
fuzzer@ub16x64:~/fuzzing/swftools/src$ ./swfcombine -t -m -G -B -v -z -f -o /dev/null swftools/swfcombine_-t-m-G-B-v-z-f-o_dev_null_swf_DeleteFilter_44EF7C
NOTICE Combine [(null)]none and [Frame00]swftools/swfcombine_-t-m-G-B-v-z-f-o_dev_null_swf_DeleteFilter_44EF7C
NOTICE Slave file attached to named object Frame00 (1).
Reading of filter type 66 not supported yet
ASAN:SIGSEGV
==18817==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000040f74c bp 0x000000000000 sp 0x7ffc00e43310 T0)
#0 0x40f74b in swf_DeleteFilter (/home/fuzzer/fuzzing/swftools/src/swfcombine+0x40f74b)
#1 0x40a18c in enumerateUsedIDs (/home/fuzzer/fuzzing/swftools/src/swfcombine+0x40a18c)
#2 0x40a99d in swf_GetNumUsedIDs (/home/fuzzer/fuzzing/swftools/src/swfcombine+0x40a99d)
#3 0x40ab1a in swf_Relocate (/home/fuzzer/fuzzing/swftools/src/swfcombine+0x40ab1a)
#4 0x404346 in normalcombine (/home/fuzzer/fuzzing/swftools/src/swfcombine+0x404346)
#5 0x404857 in combine (/home/fuzzer/fuzzing/swftools/src/swfcombine+0x404857)
#6 0x405584 in main (/home/fuzzer/fuzzing/swftools/src/swfcombine+0x405584)
#7 0x7ffa9aea682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#8 0x401e48 in _start (/home/fuzzer/fuzzing/swftools/src/swfcombine+0x401e48)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 swf_DeleteFilter
==18817==ABORTING
`
Compiling Errors: lib/jpeg.c needs update
SWFTool doesn't compile under Mac OS X 10.11.6.
You need to update swftools/lib/jpeg.c as per advice of a jpeg developer (at https://trac.macports.org/ticket/42735#comment:8) by substituting the following lines:
#ifdef HAVE_JPEGLIB
#define HAVE_BOOLEAN
#include <jpeglib.h>
with:
#ifdef HAVE_JPEGLIB
#ifndef FALSE /* in case these macros already exist */
#define FALSE 0 /* values of boolean */
#endif
#ifndef TRUE
#define TRUE 1
#endif
#define HAVE_BOOLEAN
#include <jpeglib.h>
Segmentation Fault:An out-of-bound read of heap data issue can occur in function png_load()(lib/png.c:724).
An out-of-bound read of heap data issue can occur in function png_load()(lib/png.c:724).
This issue can be caused by a malformed PNG file though png2swf. Attackers could exploit this issue to result in DoS.
#compiled normally
$ analysis ./png2swf-test crashes_use/000007.png
[1] 20251 segmentation fault ./png2swf-test crashes_use/000007.png
#compiled with CFLAGS=’-fsanitize=address’(AddressSanitizer)
$ analysis ./png2swf-dbg crashes_use/000007.png
==21316==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000006972 at pc 0x00000045976c bp 0x7ffdf08becc0 sp 0x7ffdf08becb0
READ of size 1 at 0x619000006972 thread T0
#0 0x45976b in png_load /home/kirito/Desktop/fuzz/swftools/swftools/lib/png.c:736
#1 0x40865e in MovieAddFrame /home/kirito/Desktop/fuzz/swftools/swftools/src/png2swf.c:491
#2 0x40af7d in main /home/kirito/Desktop/fuzz/swftools/swftools/src/png2swf.c:816
#3 0x7f5fefa8e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x402838 in _start (/home/kirito/Desktop/fuzz/swftools/swftools-2013-04-09-1007/fuzz_0/analysis/png2swf-dbg+0x402838)
0x619000006972 is located 14 bytes to the left of 1056-byte region [0x619000006980,0x619000006da0)
allocated by thread T0 here:
#0 0x7f5ff0342602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4556bd in png_load /home/kirito/Desktop/fuzz/swftools/swftools/lib/png.c:506
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/kirito/Desktop/fuzz/swftools/swftools/lib/png.c:736 png_load
Shadow bytes around the buggy address:
0x0c327fff8cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c327fff8d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa
0x0c327fff8d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==21316==ABORTING
The attachment is the PoC and a brief report.
000007.zip
investigate older CVEs
These are from Debian pending issues:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8420
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9924
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9925
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9926
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9927
We should investigate whether any of them is still valid.
pdf2swf stack-overflow
Trigger : ./pdf2swf -z -i -w -b -l -f -G -I -o /den/null swftools/pdf2swf_-z_-i_-w_-b_-l_-f_-G_-I_-o_dev_null_copyString_stack_flow
Crash Detail :
root@libfuzzer-virtual-machine:/home/libfuzzer/fuzzing/swftools/src# ./pdf2swf -z -i -w -b -l -f -G -I -o /den/null swftools/pdf2swf_-z_-i_-w_-b_-l_-f_-G_-I_-o_dev_null_copyString_stack_flow
ASAN:DEADLYSIGNAL
==22623==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc6f304ff0 (pc 0x0000004d883e bp 0x000000000080 sp 0x7ffc6f304ff0 T0)
#0 0x4d883d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x4d883d)
#1 0x42291e (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x42291e)
#2 0x4bd001 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x4bd001)
#3 0x53ce39 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x53ce39)
#4 0x53ce87 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x53ce87)
#5 0x53cfaf (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x53cfaf)
#6 0x53cfc6 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x53cfc6)
#7 0x549e12 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x549e12)
#8 0x54ca81 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54ca81)
#9 0x54a4c0 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a4c0)
#10 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#11 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#12 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#13 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#14 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#15 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#16 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#17 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#18 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#19 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#20 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#21 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#22 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#23 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#24 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#25 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#26 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#27 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#28 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#29 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#30 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#31 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#32 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#33 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#34 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#35 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#36 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#37 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#38 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#39 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#40 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#41 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#42 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#43 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#44 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#45 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#46 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#47 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#48 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#49 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#50 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#51 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#52 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#53 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#54 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#55 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#56 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#57 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#58 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#59 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#60 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#61 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#62 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#63 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#64 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#65 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#66 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#67 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#68 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#69 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#70 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#71 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#72 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#73 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#74 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#75 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#76 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#77 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#78 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#79 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#80 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#81 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#82 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#83 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#84 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#85 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#86 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#87 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#88 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#89 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#90 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#91 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#92 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#93 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#94 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#95 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#96 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#97 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#98 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#99 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#100 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#101 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#102 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#103 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#104 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#105 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#106 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#107 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#108 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#109 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#110 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#111 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#112 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#113 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#114 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#115 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#116 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#117 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#118 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#119 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#120 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#121 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#122 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#123 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#124 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#125 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#126 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#127 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#128 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#129 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#130 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#131 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#132 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#133 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#134 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#135 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#136 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#137 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#138 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#139 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#140 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#141 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#142 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#143 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#144 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#145 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#146 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#147 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#148 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#149 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#150 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#151 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#152 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#153 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#154 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#155 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#156 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#157 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#158 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#159 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#160 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#161 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#162 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#163 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#164 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#165 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#166 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#167 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#168 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#169 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#170 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#171 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#172 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#173 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#174 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#175 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#176 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#177 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#178 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#179 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#180 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#181 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#182 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#183 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#184 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#185 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#186 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#187 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#188 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#189 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#190 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#191 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#192 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#193 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#194 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#195 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#196 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#197 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#198 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#199 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#200 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#201 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#202 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#203 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#204 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#205 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#206 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#207 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#208 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#209 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#210 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#211 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#212 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#213 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#214 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#215 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#216 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#217 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#218 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#219 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#220 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#221 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#222 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#223 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#224 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#225 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#226 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#227 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#228 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#229 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#230 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#231 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#232 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#233 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#234 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#235 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#236 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#237 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#238 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#239 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#240 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#241 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#242 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#243 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#244 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#245 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#246 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#247 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#248 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
#249 0x54a6c9 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54a6c9)
#250 0x54c854 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c854)
#251 0x54c71d (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x54c71d)
SUMMARY: AddressSanitizer: stack-overflow (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x4d883d)
==22623==ABORTING
swf_GetBits() Address Access Except
crash : https://raw.githubusercontent.com/lcatro/My_PoC/master/swftools/swfdump_crash_swf_GetBit_0x451A6C_
trigger : ./swfdump swftools/swfdump_crash_swf_GetBit_0x451A6C_
Crash Detail :
`
fuzzer@ub16x64:~/fuzzing/swftools/src$ ./swfdump swftools/swfdump_crash_swf_GetBit_0x451A6C_
rfxswf: Warning: Short read (tagid 979). File truncated?
==== Error: Real Filesize (171) doesn't match header Filesize (65688) ====
[HEADER] File version: 4
[HEADER] File size: 65688
[HEADER] Frame rate: 129.000000
[HEADER] Frame count: 2
[HEADER] Movie width: 0.00
[HEADER] Movie height: 0.00
[000] 1 END
==== Error: End Tag not empty ====
[000] 0 END
==== Error: Unknown tag:0x230 ====
[230] 0 (null)
==== Error: Unknown tag:0x088 ====
[088] 6 (null)
==== Error: Unknown tag:0x274 ====
[274] 15 (null)
[008] 0 JPEGTABLES
[004] 7 PLACEOBJECT places id 0000 at depth 8c00
GetU16() out of bounds: TagID = 4
GetU16() out of bounds: TagID = 4
GetU16() out of bounds: TagID = 4
[004] 0 PLACEOBJECT places id 0000 at depth 0000
GetU16() out of bounds: TagID = 4
GetU16() out of bounds: TagID = 4
GetBits() out of bounds: TagID = 4, pos=0, len=0
ASAN:SIGSEGV
==18740==ERROR: AddressSanitizer: SEGV on unknown address 0xffffffffffffffff (pc 0x000000414cf8 bp 0x60600000ed20 sp 0x7ffd0d5218d0 T0)
#0 0x414cf7 in swf_GetBits (/home/fuzzer/fuzzing/swftools/src/swfdump+0x414cf7)
#1 0x415e0c in swf_GetMatrix (/home/fuzzer/fuzzing/swftools/src/swfdump+0x415e0c)
#2 0x403f4c in handlePlaceObject (/home/fuzzer/fuzzing/swftools/src/swfdump+0x403f4c)
#3 0x406154 in main (/home/fuzzer/fuzzing/swftools/src/swfdump+0x406154)
#4 0x7fa7f2acc82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x401998 in _start (/home/fuzzer/fuzzing/swftools/src/swfdump+0x401998)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 swf_GetBits
==18740==ABORTING
`
failed to compile the last GIT
Hi Matthias,
I tried to compile the last git
but it tells me
Your gcc is too old to compile this!
asking to use gcc 3.0.0 at least
I use Fedora 25 with gcc 6.4.1 ;)
gfx2gfx: errors in converting swf to pdf
I've succesfully compiled SWFTools for Mac OS X 10.11.6 by fixing the jpeg.c file (as per thread https://github.com/matthiaskramm/swftools/issues/37) given that I had some errors.
In particular I've compiled gfx2gfx without errors but if I use it with the command:
gfx2gfx test.swf -o test.pdf
I get the following errors:
Error: ID 142 unknown
Error: ID 145 unknown
Error: ID 148 unknown
Error: ID 151 unknown
Error: ID 154 unknown
Error: ID 157 unknown
Error: ID 160 unknown
Error: ID 163 unknown
Error: ID 166 unknown
Error: ID 169 unknown
Error: ID 172 unknown
Error: ID 175 unknown
Error: ID 178 unknown
Error: ID 181 unknown
Error: ID 184 unknown
Error: ID 187 unknown
Error: ID 190 unknown
Error: ID 193 unknown
Error: ID 196 unknown
Error: ID 199 unknown
Error: ID 202 unknown
Error: ID 205 unknown
Error: ID 208 unknown
Error: ID 211 unknown
Error: ID 214 unknown
Error: ID 217 unknown
Error: ID 220 unknown
Error: ID 223 unknown
Error: ID 226 unknown
Error: ID 229 unknown
Error: ID 232 unknown
Error: ID 235 unknown
Error: ID 238 unknown
Error: ID 241 unknown
Error: ID 244 unknown
Error: ID 247 unknown
Error: ID 250 unknown
Error: ID 253 unknown
Error: ID 256 unknown
Error: ID 259 unknown
Error: ID 262 unknown
Error: ID 265 unknown
Error: ID 268 unknown
Error: ID 271 unknown
Error: ID 274 unknown
Error: ID 277 unknown
Error: ID 280 unknown
Error: ID 283 unknown
Error: ID 286 unknown
Error: ID 289 unknown
Error: ID 292 unknown
Error: ID 295 unknown
Error: ID 298 unknown
Do you have any idea what this is? How can I fix it?
swfrender Assert Fault
Crash : https://raw.githubusercontent.com/lcatro/My_PoC/master/swftools/swfrender_l_assert_falut
Trigger : ./swfrender -l swftools/swfrender_l_assert_falut
Crash Detail :
fuzzer@ub16x64:~/fuzzing/swftools/src$ ./swfrender -l swftools/swfrender_l_assert_falut -l is not a valid SWF file or contains errors. swfrender: swfrender.c:156: main: Assertionswf.movieSize.xmax > swf.movieSize.xmin && swf.movieSize.ymax > swf.movieSize.ymin' failed.
Aborted (core dumped)
`
support opening a file object in Python gfx.open
Currently, a file name is required. This is mostly fine for command-line apps but for using the Python gfx package as part of another app it's suboptimum. Being able to pass a file object (StringIO on Python2 etc.), or data string, would be better.
swfbytes open no exist file will crash
swfbyte open a exist swf file will output some information
`
fuzzer@ub16x64:~/fuzzing/swftools/src$ ./swfbytes ../swfs/keyboard_viewer.swf
Version: 4
FrameRate: 25.000000
FrameCount: 1
Width: 1024.00
X-Offset: 0.00
Height: 768.00
Y-Offset: 0.00
SETBACKGROUNDCOLOR
| ff ff ff
DEFINESPRITE <23>
| 17 00 00 00
END
PLACEOBJECT2 <23>
| 22 01 00 17 00 76 69 65 77 70 6f 72 74 00
DEFINESHAPE <77>
| 4d 00 80 00 02 80 00 00 01 e0 00 01 00 00 00 00
| 01 28 00 00 00 00 11 2c 1f c2 80 07 ab c0 0f 8b
| 00 0f 58 80 00 00
DEFINEBUTTON2 <30>
| 1e 00 00 0a 00 08 4d 00 01 00 00 00 00 16 00 00
| 02 8b 09 00 76 69 65 77 70 6f 72 74 00 05 8b 01
| 00 00 00 16 00 00 04 8b 09 00 76 69 65 77 70 6f
| 72 74 00 04 8b 01 00 00 00 16 00 00 40 8b 09 00
| 76 69 65 77 70 6f 72 74 00 04 8b 01 00 00 00 1e
| 00 00 36 83 16 00 6c 69 63 68 74 66 61 72 62 65
| 2e 68 74 6d 6c 00 5f 74 68 69 73 00 00 00 00 00
| 1a 83 12 00 70 68 79 62 61 73 2e 68 74 6d 6c 00
| 5f 74 68 69 73 00 00
DOACTION
| 07 8b 09 00 76 69 65 77 70 6f 72 74 00 07 8b 01
| 00 00 96 0c 00 00 2f 3a 73 75 62 74 69 74 6c 65
| 00 96 02 00 00 00 1d 00
PLACEOBJECT2 <30>
| 02 02 00 1e 00
DEFINEFONT2 <118>
| 76 00 90 00 0f 54 69 6d 65 73 20 4e 65 77 20 52
| 6f 6d 61 6e 00 00 00 00 00 00 00 00 00 00
DEFINEEDITTEXT <119>
| 77 00 80 25 82 29 c0 00 00 32 00 2d 20 76 00 20
| 03 00 00 00 ff 00 00 00 00 00 00 00 00 00 2f 3a
| 73 75 62 74 69 74 6c 65 00
PLACEOBJECT2 <119>
| 02 04 00 77 00
SHOWFRAME
END
`
but put a invalid value ,it will crash
`
fuzzer@ub16x64:~/fuzzing/swftools/src$ ./swfbytes noooooooo
ASAN:SIGSEGV
==18709==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f2064b6b8f0 bp 0x000000000000 sp 0x7ffe15091578 T0)
#0 0x7f2064b6b8ef (/lib/x86_64-linux-gnu/libc.so.6+0x758ef)
#1 0x40173e in readline (/home/fuzzer/fuzzing/swftools/src/swfbytes+0x40173e)
#2 0x40214c in parseFile (/home/fuzzer/fuzzing/swftools/src/swfbytes+0x40214c)
#3 0x40280a in main (/home/fuzzer/fuzzing/swftools/src/swfbytes+0x40280a)
#4 0x7f2064b1682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x401608 in _start (/home/fuzzer/fuzzing/swftools/src/swfbytes+0x401608)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==18709==ABORTING
`
A null pointer dereference bug of swfrender
A null pointer dereference bug of swfrender
poc: https://drive.google.com/open?id=1GnHnojAXyZuAC-KkUIvRZTWFc0Popv3i
asan: https://drive.google.com/open?id=1wLHRbskl0CQPXA6IkLH01pP2dbhlWyIK
the problem is in the function uncompress
when function uncompress failed, this function will return 0
so the *swf_ExtractImage will return 0.
https://github.com/matthiaskramm/swftools/blob/master/lib/readers/swf.c#L405
data will be a NULL when construct it.
void *data = swf_ExtractImage(tag, &width, &height);
After that, gfximage_new will make a new struct in which the data is a NULL pointer.
it caused a NULL pointer reference when calling fill_line_bitmap
gif2swf MovieAddFrame() memcpy overflow
Trigger : ./gif2swf -r 2 -o /dev/null -z swftools/git2swf_-r_2_-o_dev_null_-z_memory_corruption__fopen
Crash Detail :
fuzzer@ub16x64:~/fuzzing/swftools/src$ ./gif2swf -r 2 -o /dev/null -z swftools/git2swf_-r_2_-o_dev_null_-z_memory_corruption__fopen
==29933==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61c000006f10 at pc 0x7ff90bb97904 bp 0x7fff993b5990 sp 0x7fff993b5138
WRITE of size 60 at 0x61c000006f10 thread T0
#0 0x7ff90bb97903 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c903)
#1 0x4028b4 in MovieAddFrame (/home/fuzzer/fuzzing/swftools/src/gif2swf+0x4028b4)
#2 0x403a91 in main (/home/fuzzer/fuzzing/swftools/src/gif2swf+0x403a91)
#3 0x7ff90b0e682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x401ff8 in _start (/home/fuzzer/fuzzing/swftools/src/gif2swf+0x401ff8)
0x61c000006f10 is located 0 bytes to the right of 1680-byte region [0x61c000006880,0x61c000006f10)
allocated by thread T0 here:
#0 0x7ff90bba3602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4027d5 in MovieAddFrame (/home/fuzzer/fuzzing/swftools/src/gif2swf+0x4027d5)
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
0x0c387fff8d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c387fff8da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c387fff8db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c387fff8dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c387fff8dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c387fff8de0: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c387fff8df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c387fff8e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c387fff8e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c387fff8e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c387fff8e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==29933==ABORTING
A memleak bug of png2swf.
A memleak bug of png2swf.
poc1: https://drive.google.com/open?id=1MUuOab8EYCwhDUH9cC5DwSuF_slthBPd
asan1: https://drive.google.com/open?id=1h-w58olMDSpXohrNGDk-hLGEQjwhKDiO
poc2: https://drive.google.com/open?id=1QUpPmR9KQPWPsMVakzWhqgB8t0WQGW5f
asan2: https://drive.google.com/open?id=1jSFnQFLiiDPXVXZnYQZ7pRaK0g8PZJL7
In fuction png_load: when cmp with PLTE and tRNS, the data which is alloc is saved on palette/alphapalette, but not free, which can cause a memleak bug.
patch: free it
divide by zero exception in wav_convert2mono in wav.c
one divide by zero exception in wav_convert2mono in wav.c which allows attacker to cause a denial of service.
poc file:
poc.tar.gz
To reproduce:
./wav2swf -o output $poc
ASan:
==73857==ERROR: AddressSanitizer: FPE on unknown address 0x000000521455 (pc 0x000000521455 bp 0x7ffcdcbbc3d0 sp 0x7ffcdcbbc2d0 T0)
#0 0x521454 in wav_convert2mono (/home/s2e/asan/swftools-master/src/wav2swf+0x521454)
#1 0x4eb5e1 in main (/home/s2e/asan/swftools-master/src/wav2swf+0x4eb5e1)
#2 0x7f5de893d82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#3 0x419658 in _start (/home/s2e/asan/swftools-master/src/wav2swf+0x419658)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE (/home/s2e/asan/swftools-master/src/wav2swf+0x521454) in wav_convert2mono
==73857==ABORTING
release the Python gfx module in PyPI
It seems to me the Python gfx library provided as part of swftools is very useful. It would be great if that could somehow be packaged separately and released at PyPI (Python Package Index) so it would be easy to find and use.
pdf2swf Invalid-Address-Access
Trigger : ./pdf2swf -z -i -w -b -l -f -G -I -o /den/null swftools/pdf2swf_-z_-i_-w_-b_-l_-f_-G_-I_-o_dev_null_crash_InfoOutputDev_type3D0
Crash Detail :
root@libfuzzer-virtual-machine:/home/libfuzzer/fuzzing/swftools/src# ./pdf2swf -z -i -w -b -l -f -G -I -o /den/null swftools/pdf2swf_-z_-i_-w_-b_-l_-f_-G_-I_-o_dev_null_crash_InfoOutputDev_type3D0
Error (1374): Unknown operator 'f13'
ASAN:DEADLYSIGNAL
==13314==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x0000005b5a77 bp 0x7ffe5b30d020 sp 0x7ffe5b30cff8 T0)
#0 0x5b5a76 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x5b5a76)
#1 0x573d26 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x573d26)
#2 0x5739f3 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x5739f3)
#3 0x564fca (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x564fca)
#4 0x564d58 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x564d58)
#5 0x53d6f7 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x53d6f7)
#6 0x53ae87 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x53ae87)
#7 0x4f266f (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x4f266f)
#8 0x4f2c47 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x4f2c47)
#9 0x7f5568e8582f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#10 0x41cef8 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x41cef8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x5b5a76)
==13314==ABORTING
swfc dict_lookup() Null-pointer access
Crash : https://raw.githubusercontent.com/lcatro/My_PoC/master/swftools/swfc_crash_dict_do_lookup_647E2C
Trigger : ./swfc swftools/swfc_crash_dict_do_lookup_647E2C
Crash Detail :
`
fuzzer@ub16x64:~/fuzzing/swftools/src$ ./swfc swftools/swfc_crash_dict_do_lookup_647E2C
ASAN:SIGSEGV
==18801==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000489a58 bp 0x0000004029e0 sp 0x7fff47ddda20 T0)
#0 0x489a57 in dict_lookup (/home/fuzzer/fuzzing/swftools/src/swfc+0x489a57)
#1 0x48a2e3 in map_lookup (/home/fuzzer/fuzzing/swftools/src/swfc+0x48a2e3)
#2 0x405a7e in lu (/home/fuzzer/fuzzing/swftools/src/swfc+0x405a7e)
#3 0x410e09 in findFontUsage (/home/fuzzer/fuzzing/swftools/src/swfc+0x410e09)
#4 0x410fb9 in firstPass (/home/fuzzer/fuzzing/swftools/src/swfc+0x410fb9)
#5 0x4111d4 in main (/home/fuzzer/fuzzing/swftools/src/swfc+0x4111d4)
#6 0x7f605287382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x402a08 in _start (/home/fuzzer/fuzzing/swftools/src/swfc+0x402a08)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 dict_lookup
==18801==ABORTING
`
How to install for mac os
我在mac上安装程序, 编译时一直出现如上错误,如何解决? 使用brew install swftools 安装的没有pdf2swf 这个又如何解决
A heapoverflow bug of wav2swf.
A heapoverflow bug of wav2swf.
poc: https://drive.google.com/open?id=1z1k-amAf8NoAH8N_yhwggOQj9o6bemch
asan: https://drive.google.com/open?id=1HaydSh6XaszrsfE15l5SLmdAyX6IOi0i
Bug occured in file /lib/wav.c:243. Function wav_convert2mono does not check the size and align in wav sample properly, which causes samplelen equal to 0 while size less than align.
https://github.com/matthiaskramm/swftools/blob/54657f9ba3dd4fa3e54c8f8c18f3def7a42d1f1c/lib/wav.c#L204
Thus, the argument to the function malloc will less than we expect, which is only 128 bytes.
https://github.com/matthiaskramm/swftools/blob/54657f9ba3dd4fa3e54c8f8c18f3def7a42d1f1c/lib/wav.c#L225
Later, in the for loop, it will cause heap buffer overflow. Here the varible src->size is 0xb78a, which makes pos2 much more larger than 128.
https://github.com/matthiaskramm/swftools/blob/54657f9ba3dd4fa3e54c8f8c18f3def7a42d1f1c/lib/wav.c#L239
Patch Suggestion:
Check size and align.
swfextract - undocumented parameters
These swfextract params are not documented on the help menu -h.
{"a","any"},
{"0","movetozero"},
{"b","binary"},png2swf png_load() access except
Trigger : ./png2swf -r -z -j 10 -s 50 -o /dev/null swftools/png2swf_-r_-z_-j_10_-s_50_-o_dev_null__crash_png_load_453ea0
Crash Detail :
fuzzer@ub16x64:~/fuzzing/swftools/src$ ./png2swf -r -z -j 10 -s 50 -o /dev/null swftools/png2swf_-r_-z_-j_10_-s_50_-o_dev_null__crash_png_load_453ea0
ASAN:SIGSEGV
==19412==ERROR: AddressSanitizer: SEGV on unknown address 0x7fb5e1f00002 (pc 0x000000412a8a bp 0x0000fffffff0 sp 0x7ffe7e1c32e0 T0)
#0 0x412a89 in png_load (/home/fuzzer/fuzzing/swftools/src/png2swf+0x412a89)
#1 0x403101 in MovieAddFrame (/home/fuzzer/fuzzing/swftools/src/png2swf+0x403101)
#2 0x404054 in main (/home/fuzzer/fuzzing/swftools/src/png2swf+0x404054)
#3 0x7fb5e4dfb82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x401f28 in _start (/home/fuzzer/fuzzing/swftools/src/png2swf+0x401f28)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 png_load
==19412==ABORTING
Segmentation Fault:out-of-bound write of heap data issue can occur in function png_load()(lib/png.c:755).
Recently, I found an out-of-bound issue in the newest branch of swftools which can cause the segmentation fault.
This issue can be caused by a malformed PNG file though png2swf.
Attackers could exploit this issue to result n DoS and might cause arbitrary code execution.
The crash infomation is as follows.
compiled normally
$ analysis ./png2swf-test crashes_use/000004.png
[1] 56063 segmentation fault ./png2swf-test crashes_use/000004.png
compiled with CFLAGS=’-fsanitize=address’
$ analysis ./png2swf-dbg crashes_use/000004.png
==7338==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001b500 at pc 0x00000045a3fa bp 0x7fffe1841530 sp 0x7fffe1841520
WRITE of size 4 at 0x62100001b500 thread T0
#0 0x45a3f9 in png_load /home/kirito/Desktop/fuzz/swftools/swftools/lib/png.c:755
#1 0x40865e in MovieAddFrame /home/kirito/Desktop/fuzz/swftools/swftools/src/png2swf.c:491
#2 0x40af7d in main /home/kirito/Desktop/fuzz/swftools/swftools/src/png2swf.c:816
#3 0x7f943a8c282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x402838 in _start (/home/kirito/Desktop/fuzz/swftools/swftools-2013-04-09-1007/fuzz_0/analysis/png2swf-dbg+0x402838)
0x62100001b500 is located 0 bytes to the right of 4096-byte region [0x62100001a500,0x62100001b500)
allocated by thread T0 here:
#0 0x7f943b176602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x455d92 in png_load /home/kirito/Desktop/fuzz/swftools/swftools/lib/png.c:579
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/kirito/Desktop/fuzz/swftools/swftools/lib/png.c:755 png_load
Shadow bytes around the buggy address:
0x0c427fffb650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffb6a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb6b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb6c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb6d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb6e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb6f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==7338==ABORTING
The attachment is the zip package of PoC and a brief analysis.
000004.zip
ttftool readBlock() memcpy overflow
Crash : https://raw.githubusercontent.com/lcatro/My_PoC/master/swftools/ttf2swf_crash_memcpy
Trigger : ./ttftool swftools/ttf2swf_crash_memcpy
Crash Detail :
`
==18865==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f6452a6c000 at pc 0x7f6451a4c935 bp 0x7ffd244304d0 sp 0x7ffd2442fc78
READ of size 43580776 at 0x7f6452a6c000 thread T0
#0 0x7f6451a4c934 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c934)
#1 0x401c32 in readBlock (/home/fuzzer/fuzzing/swftools/src/ttftool+0x401c32)
#2 0x405a8f in ttf_load (/home/fuzzer/fuzzing/swftools/src/ttftool+0x405a8f)
#3 0x40b4cc in ttf_open (/home/fuzzer/fuzzing/swftools/src/ttftool+0x40b4cc)
#4 0x4017fa in main (/home/fuzzer/fuzzing/swftools/src/ttftool+0x4017fa)
#5 0x7f645161782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#6 0x4012d8 in _start (/home/fuzzer/fuzzing/swftools/src/ttftool+0x4012d8)
0x7f6452a6c000 is located 6144 bytes to the left of 524512-byte region [0x7f6452a6d800,0x7f6452aed8e0)
allocated by thread T0 here:
#0 0x7f6451a58602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4059ba in ttf_load (/home/fuzzer/fuzzing/swftools/src/ttftool+0x4059ba)
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
0x0fed0a5457b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fed0a5457c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fed0a5457d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fed0a5457e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fed0a5457f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fed0a545800:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fed0a545810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fed0a545820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fed0a545830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fed0a545840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fed0a545850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==18865==ABORTING
`
build gfx2gfx error
I was working on Ubuntu 16.04, I want to build gfx2gfx.
I followed the below steps
git clone --depth=1 git://github.com/matthiaskramm/swftools ./swftools
cd swftools
./configure
make
cd lib
make
cd ../src
make gfx2gfxand the last step gave me the following error message.
liudonghua@desktop-ldh:~/code/swftools/src$ make gfx2gfx
gcc -c -DHAVE_CONFIG_H -I/usr/include/freetype2 -I/usr/include/fontconfig -Ilame -Ilib/lame -fPIC -Wimplicit -Wreturn-type -Wno-write-strings -Wformat -O -fomit-frame-pointer gfx2gfx.c -o gfx2gfx.o
g++ -DHAVE_CONFIG_H gfx2gfx.o -o gfx2gfx ../lib/libgfxswf.a ../lib/librfxswf.a ../lib/libgfxpdf.a ../lib/libgfx.a ../lib/libbase.a -L/usr/local/lib -lzzip -lgif -ljpeg -lz -lm -lfontconfig -lfreetype -lfftw3f -lstdc++
/usr/bin/ld: Warning: size of symbol `voidclass' changed from 104 in ../lib/librfxswf.a(abc.o) to 112 in ../lib/librfxswf.a(registry.o)
gfx2gfx.o: In function `main':
gfx2gfx.c:(.text+0xab3): undefined reference to `gfxdevice_pdf_init'
collect2: error: ld returned 1 exit status
Makefile:129: recipe for target 'gfx2gfx' failed
make: *** [gfx2gfx] Error 1
liudonghua@desktop-ldh:~/code/swftools/src$A memleak bug of png2swf (vuln 2nd).
A memleak bug of png2swf.
The POC in the last issue can also trigger this new bug.
poc1: https://drive.google.com/open?id=1MUuOab8EYCwhDUH9cC5DwSuF_slthBPd
asan1: https://drive.google.com/open?id=1h-w58olMDSpXohrNGDk-hLGEQjwhKDiO
poc2: https://drive.google.com/open?id=1QUpPmR9KQPWPsMVakzWhqgB8t0WQGW5f
asan2: https://drive.google.com/open?id=1jSFnQFLiiDPXVXZnYQZ7pRaK0g8PZJL7
https://github.com/matthiaskramm/swftools/blob/54657f9ba3dd4fa3e54c8f8c18f3def7a42d1f1c/src/png2swf.c#L476
In the MovieAddFrame function of png2swf, png_load will request for a chunk for data, and it is not freed after using it.
wav2swf interget divide
Crash : https://raw.githubusercontent.com/lcatro/My_PoC/master/swftools/wav2swf_interger_divide
Trigger : ./wav2swf swftools/wav2swf_interger_divide
Crash Detail :
fuzzer@ub16x64:~/fuzzing/swftools/src$ ./wav2swf swftools/wav2swf_interger_divide Floating point exception (core dumped)
Building with poppler fails
On revision 392fb1f, building with poppler fails because swftools failed to use PKG_CHECK_MODULES (and use pkgconfig's result) in configure.in (which should be called configure.ac).
[ 15s] g++ -c -DHAVE_CONFIG_H -I/usr/include -I/usr/include/freetype2 -I/usr/include/fontconfig -Ilame
-Ilib/lame -fPIC -fPIC -Wall -Wno-unused -Wno-format -Wno-redundant-decls -Wno-write-strings -D_FORTIFY_
SOURCE=2 -O -fomit-frame-pointer -fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -
fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -g -I ./ VectorGraphicOutputDev.cc -
o VectorGraphicOutputDev.o
[ 15s] parser.tab.c: In function 'a3_parse':
[ 15s] parser.y:788:20: warning: 'tmp' may be used uninitialized in this function [-Wmaybe-uninitialized
]
[ 15s] parser.y:762:9: note: 'tmp' was declared here
[ 15s] In file included from VectorGraphicOutputDev.cc:33:0:
[ 15s] popplercompat.h:46:29: fatal error: goo/GooString.h: No such file or directory
[ 15s] #include <goo/GooString.h>
The file is located at /usr/include/poppler/goo/GooString.h, and pkg-config popple --cflags yields -I/usr/include/poppler (which means <goo/GooString.h> is right, but you are not heeding the pkgconfig result).
Building without poppler fails
Also on 392fb1f
./configure --host=x86_64-suse-linux-gnu --build=x86_64-suse-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/lib --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --disable-dependency-tracking --disable-warnings
[…]
[ 5s] checking for PDF_open_file in -lpdf... no
[…]
[ 8s] checking pdflib.h usability... no
[ 8s] checking pdflib.h presence... no
[ 8s] checking for pdflib.h... no
[…]
[ 15s] cd pdf;make libgfxpdf
[ 15s] make[2]: Entering directory '/home/abuild/rpmbuild/BUILD/swftools-0.9.2.g51/lib/pdf'
[ 15s] Extracting xpdf-3.02.tar.gz
[ 15s] gcc -c -DHAVE_CONFIG_H -I/usr/include -I/usr/include/freetype2 -I/usr/include/fontconfig -Ilame -Ilib/lame -fPIC -Wall -Wno-unused -Wno-format -Wno-redundant-decls -Wno-write-strings -D_FORTIFY_SOURCE=2 -O -fomit-frame-pointer -fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -g q.c -o q.o
[…]
[ 15s] gcc -c -DHAVE_CONFIG_H -I/usr/include -I/usr/include/freetype2 -I/usr/include/fontconfig -Ilame -Ilib/lame -fPIC -Wall -Wno-unused -Wno-format -Wno-redundant-decls -Wno-write-strings -D_FORTIFY_SOURCE=2 -O -fomit-frame-pointer -fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -g utf8.c -o utf8.o
[ 15s] In file included from VectorGraphicOutputDev.cc:33:0:
[ 15s] popplercompat.h:49:27: fatal error: xpdf/config.h: No such file or directory
[ 15s] #include "xpdf/config.h"
The file is at ./lib/pdf/xpdf-3.02/config.h.
An integer overflow bug of wav2swf
when malloc.
there is an integer overflow bug:
(samplelenratio2)+128
that make the malloc failed.
so samples is 0
https://github.com/matthiaskramm/swftools/blob/master/src/wav2swf.c#L238
when memcpy use samples,it cause a null pointer dereference bug
memcpy(samples2, samples, numsamples*sizeof(U16));
xpdf needed?
I finally got this up and running on my Ubuntu 16.04.5 server. Quick question though. I don't have xpdf installed. When I run a pdf2swf command, it converts fine but throws an error.
Error: Couldn't find included config file: '/etc/xpdf/includes' (/etc/xpdf/xpdfrc:79)
If I run apt-get install xpdf (installs version 3.0.4) and then run a pdf2swf command, I get a whole bunch of the following errors:
Error: Unknown config file command 'psResidentFont16' (/usr/share/xpdf/xpdfrc-japanese:53)
Error: Unknown config file command 'fontFileCC' (/usr/share/xpdf/xpdfrc-korean:7)
So should I install xpdf or not? Do I need a different version?
Compiling errors on Mac OS Mojave
I'm trying to install the last tar.gz file on mac os Mojave but when I try to run the make command, show the nex errors:
making all in m4...
cd m4;/Applications/Xcode.app/Contents/Developer/usr/bin/make all
making all in lib...
cd lib;/Applications/Xcode.app/Contents/Developer/usr/bin/make all
rm -f librfxswf.a
ar r librfxswf.a modules/swfaction.o modules/swfbits.o modules/swfbutton.o modules/swfcgi.o modules/swfdraw.o modules/swfdump.o modules/swffilter.o modules/swffont.o modules/swfobject.o modules/swfrender.o modules/swfshape.o modules/swfsound.o modules/swftext.o modules/swftools.o modules/swfalignzones.o rfxswf.o drawer.o h.263/dct.o h.263/h263tables.o h.263/swfvideo.o action/assembler.o action/compile.o action/lex.swf4.o action/lex.swf5.o action/libming.o action/swf4compiler.tab.o action/swf5compiler.tab.o action/actioncompiler.o as3/abc.o as3/pool.o as3/files.o as3/opcodes.o as3/code.o as3/registry.o as3/builtin.o as3/tokenizer.yy.o as3/parser.tab.o as3/scripts.o as3/compiler.o as3/import.o as3/expr.o as3/parser_help.o as3/state.o as3/common.o as3/initcode.o as3/assets.o
ar: creating archive librfxswf.a
ranlib librfxswf.a
cd pdf;/Applications/Xcode.app/Contents/Developer/usr/bin/make libgfxpdf
g++ -c -DHAVE_CONFIG_H -I/usr/local/opt/libxml2/include -I/opt/local/include -I/usr/local/opt/freetype/include/freetype2 -I /usr/local/include/lame -fPIC -fPIC -Wimplicit -Wreturn-type -Wno-write-strings -Wformat -O -fomit-frame-pointer -fno-rtti -I ./ -I xpdf xpdf/GlobalParams.cc -o xpdf/GlobalParams.o
xpdf/GlobalParams.cc:925:12: error: ordered comparison between pointer and zero ('char *' and 'int')
if(pos1>=0)
~~~~^ ~
xpdf/GlobalParams.cc:927:17: error: ordered comparison between pointer and zero ('char *' and 'int')
else if(pos2>=0)
~~~~^ ~
2 errors generated.
make[2]: *** [xpdf/GlobalParams.o] Error 1
make[1]: *** [libgfxpdf.a] Error 2
make: *** [all] Error 2
How can I fix this issue, or you don't support this Mac versions?
swfextract swf_FoldSprite() Null-pointer access
Trigger : ./swfextract swftools/swfextract_crash_swf_FoldSprite_44C9E8
Crash Detail :
`
fuzzer@ub16x64:~/fuzzing/swftools/src$ ./swfextract swftools/swfextract_crash_swf_FoldSprite_44C9E8
rfxswf: Warning: Short read (tagid 0). File truncated?
Objects in file swftools/swfextract_crash_swf_FoldSprite_44C9E8:
ASAN:SIGSEGV
==18840==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000040ffb6 bp 0x60600000ec60 sp 0x7fffda4aae80 T0)
#0 0x40ffb5 in swf_FoldSprite (/home/fuzzer/fuzzing/swftools/src/swfextract+0x40ffb5)
#1 0x410150 in swf_FoldAll (/home/fuzzer/fuzzing/swftools/src/swfextract+0x410150)
#2 0x403a5a in listObjects (/home/fuzzer/fuzzing/swftools/src/swfextract+0x403a5a)
#3 0x40580e in main (/home/fuzzer/fuzzing/swftools/src/swfextract+0x40580e)
#4 0x7fef97fd482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x402208 in _start (/home/fuzzer/fuzzing/swftools/src/swfextract+0x402208)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 swf_FoldSprite
==18840==ABORTING
`
the swftools cant not work well in Server Host
in my local computer, the swftools converts pdf to swf works well, but there is something wrong with my code when I put my code in the server host.
exception :FATAL Invalid restoreState
I have installed the SwfTools in my server host.
who can explain this?
pdf2swf Invalid-Address-Access
Trigger : ./pdf2swf -z -i -w -b -l -f -G -I -o /den/null swftools/pdf2swf_-z_-i_-w_-b_-l_-f_-G_-I_-o_dev_null_crash_FoFiTrueType__writeTTF
Crash Detail :
root@libfuzzer-virtual-machine:/home/libfuzzer/fuzzing/swftools/src# ./pdf2swf -z -i -w -b -l -f -G -I -o /den/null swftools/pdf2swf_-z_-i_-w_-b_-l_-f_-G_-I_-o_dev_null_crash_FoFiTrueType__writeTTF
ASAN:DEADLYSIGNAL
==23882==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000000c (pc 0x0000005bc877 bp 0x000000000000 sp 0x7ffda6742c80 T0)
#0 0x5bc876 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x5bc876)
#1 0x5e79f6 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x5e79f6)
#2 0x5e3659 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x5e3659)
#3 0x5d2e2e (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x5d2e2e)
#4 0x5b4ad0 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x5b4ad0)
#5 0x5706da (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x5706da)
#6 0x573d26 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x573d26)
#7 0x5739f3 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x5739f3)
#8 0x564fca (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x564fca)
#9 0x564d58 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x564d58)
#10 0x53d6f7 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x53d6f7)
#11 0x53ae87 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x53ae87)
#12 0x4f266f (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x4f266f)
#13 0x4f2c47 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x4f2c47)
#14 0x7fd26900382f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#15 0x41cef8 (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x41cef8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/libfuzzer/fuzzing/swftools/src/pdf2swf+0x5bc876)
==23882==ABORTING
Documentation unresponsive
20-11-2018 - http://wiki.swftools.org/ is unresponsive
swfcombine swf_Relocate() Null-pointer access
Trigger : ./swfcombine -t -m -G -B -v -z -f -o /dev/null swftools/swfcombine_-t-m-G-B-v-z-f-o_dev_null__swf_Relocate_42B491
Crash Detail :
`
fuzzer@ub16x64:~/fuzzing/swftools/src$ ./swfcombine -t -m -G -B -v -z -f -o /dev/null swftools/swfcombine_-t-m-G-B-v-z-f-o_dev_null__swf_Relocate_42B491
NOTICE Combine [(null)]none and [Frame00]swftools/swfcombine_-t-m-G-B-v-z-f-o_dev_null__swf_Relocate_42B491
NOTICE Slave file attached to named object Frame00 (1).
ASAN:SIGSEGV
==18827==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x00000040ab6a bp 0x60200000ee30 sp 0x7ffeffe29660 T0)
#0 0x40ab69 in swf_Relocate (/home/fuzzer/fuzzing/swftools/src/swfcombine+0x40ab69)
#1 0x404346 in normalcombine (/home/fuzzer/fuzzing/swftools/src/swfcombine+0x404346)
#2 0x404857 in combine (/home/fuzzer/fuzzing/swftools/src/swfcombine+0x404857)
#3 0x405584 in main (/home/fuzzer/fuzzing/swftools/src/swfcombine+0x405584)
#4 0x7f9a0186982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x401e48 in _start (/home/fuzzer/fuzzing/swftools/src/swfcombine+0x401e48)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 swf_Relocate
==18827==ABORTING
`
error: two or more data types in declaration specifiers
R:/swftools/config.h:193:17: error: two or more data types in declaration specifiers
#define boolean intI am using Msys2+MingW64 and Msys2+MingW32. Both meets the above error. The solution is comment out #define boolean int in swftools/config.h
ID Table overflow
Got an error while converting a PDF to SWF (using pdf2swf.exe).
ERROR ID Table overflow
ERROR This file is too complex to render- SWF only supports 65536 shapes at once.
Note: my PDF file contains a lot of images which may have caused the overflow of the UInt16.
Can this be fixed, please? Thanks.
wav2swf wav_convert2mono() access except
Trigger : ./wav2swf swftools/wav2swf_wav_convert2mono_segment_fault
Crash Detail :
fuzzer@ub16x64:~/fuzzing/swftools/src$ ./wav2swf swftools/wav2swf_wav_convert2mono_segment_fault
ASAN:SIGSEGV
==19400==ERROR: AddressSanitizer: SEGV on unknown address 0x631000030000 (pc 0x000000438727 bp 0x7ffe0eb27030 sp 0x7ffe0eb26f30 T0)
#0 0x438726 in wav_convert2mono (/home/fuzzer/fuzzing/swftools/src/wav2swf+0x438726)
#1 0x40277a in main (/home/fuzzer/fuzzing/swftools/src/wav2swf+0x40277a)
#2 0x7fccd015882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#3 0x401d78 in _start (/home/fuzzer/fuzzing/swftools/src/wav2swf+0x401d78)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 wav_convert2mono
==19400==ABORTING
Compiling errors on MacO
I'm trying to install the last tar.gz file on mac os Mojave but
wav2swf memory leak
Crash : https://raw.githubusercontent.com/lcatro/My_PoC/master/swftools/wav2swf_memory_corruption
Trigger : ./wav2swf swftools/wav2swf_memory_corruption
Crash Detail :
`
fuzzer@ub16x64:~/fuzzing/swftools/src$ ./wav2swf swftools/wav2swf_memory_corruption
=================================================================
==19388==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 46986 byte(s) in 1 object(s) allocated from:
#0 0x7f1f953cd602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x438244 in wav_read (/home/fuzzer/fuzzing/swftools/src/wav2swf+0x438244)
Direct leak of 1152 byte(s) in 1 object(s) allocated from:
#0 0x7f1f953cd602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4027b6 in main (/home/fuzzer/fuzzing/swftools/src/wav2swf+0x4027b6)
Direct leak of 1123 byte(s) in 1 object(s) allocated from:
#0 0x7f1f953cd602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x43866e in wav_convert2mono (/home/fuzzer/fuzzing/swftools/src/wav2swf+0x43866e)
#2 0x1f3f ()
SUMMARY: AddressSanitizer: 49261 byte(s) leaked in 3 allocation(s).
`
swfc doesn’t embed WAVE sound
I’m afraid that starting from lame-3.98, swfc is not able to embed sound in WAVE format
.sound snd "soundtrack.wav"
Would it be possible that this issue could be fixed?
swfextract can't bypass the error!
The swfextract not support extract all the pic resources, but use ids to select instead.
No big deal, but if one of the ids fail to extract, the app exit. If there are hundreds of pics, I have to check which one fails and redo the extract. If fail again, recheck, redo....
Any option to extract all pic resources, like -j without parameters?
Or option to bypass extract error?
Compiling fails
Hi,
I'm in a Debian 64 bits and I'm failing to build swftools:
I do:
git clone https://github.com/matthiaskramm/swftools
cd swftools
./configure
make
Configure runs well but when the make I get:
make[2]: Leaving directory '/tmp/swftools/lib/pdf'
Makefile:184: recipe for target 'libgfxpdf.a' failed
make[1]: Leaving directory '/tmp/swftools/lib'
Makefile:7: recipe for target 'all' failed
make[2]: *** No rule to make target 'xpdf/TextOutputDev.o', needed by '../libgfxpdf.a'. Stop.
make[1]: *** [libgfxpdf.a] Error 2
make: *** [all] Error 2
Any idea why?
Thanks
Bug in clip_depth/name field order in PLACEOBJECT
Swftools deviates from the official swf specification. This deviation causes Flash to misinterpret some of the swf files generated by swfc. The deviation is documented by a comment in the code:
The specification states, that ClipDepth field comes after the Name field.
This has been in the code for 15 years according to git blame:
d193d73#diff-b0ead3b01c9deed99d0df1f51970d65cR124
Here is a swfc script which demonstrates an issue caused by this difference:
.flash
.circle cg 200 fill=green line=1
.circle cb 200 fill=blue line=1
.circle cr 200 fill=red line=1
.startclip cg x=0 y=0
.put cb x=0 y=200
.end
.put cr y=0 x=200
.end
The problem is, that the green circle (cg) should only mask the blue circle (cb), but it also masks the red circle (cr), because the clip depth is read in from the name field (becoming some garbage, large value) by Flash.
This is how flash renders the resulting swf:
This is how it should look like:
I'd be happy if this issue could be fixed, but I'm also interested in the historical reason why this deviation was introduced in the first place. Let me know if I can help by opening some initial PR with a fix.
Note that this would affect, deserialisation too, for example here:
https://github.com/matthiaskramm/swftools/blob/54657f9ba3dd4fa3e54c8f8c18f3def7a42d1f1c/lib/modules/swftools.c#L412-L415
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.