[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Swftools-common] swftools-0.9.0 bug report
|
From: |
Ildar Isaev |
|
Subject: |
[Swftools-common] swftools-0.9.0 bug report |
|
Date: |
Fri, 18 Sep 2009 19:53:35 +0400 |
|
User-agent: |
Thunderbird 2.0.0.21 (X11/20090409) |
I am using swftools-0.9.0 downloaded from
http://www.swftools.org/swftools-0.9.0.tar.gz.
It is possible to create an input file (some examples attached) which
causes swfdump to crash with segmentation fault. This is how gdb output
looks:
address@hidden:$ gdb --args swftools-0.9.0/inst/bin/swfdump --full exploit_180
...
This GDB was configured as "i486-linux-gnu"...
(gdb) run
Starting program: swftools-0.9.0/inst/bin/swfdump --full exploit_180
[Thread debugging using libthread_db enabled]
[New Thread 0x402e76c0 (LWP 31923)]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x402e76c0 (LWP 31923)]
0x0805dd26 in swf_GetU32 (t=0x99475e8) at rfxswf.c:127
127 res = t->data[t->pos] | (t->data[t->pos+1]<<8) |
(gdb) p t->data
$1 = (U8 *) 0x0
(gdb) bt
#0 0x0805dd26 in swf_GetU32 (t=0x99475e8) at rfxswf.c:127
#1 0x0805eae0 in swf_ReadSWF2 (reader=0xbff613b0, swf=0x80ab960) at
rfxswf.c:1478
#2 0x0805eb6f in swf_ReadSWF (handle=5, swf=0x80ab960) at rfxswf.c:1507
#3 0x0804d14c in main (argc=-1074391100, argv=0xbff617c4) at swfdump.c:1026
One can see that t->data, which is NULL, is dereferenced at rfxswf.c:127
Best regards,
Ildar
exploit_180
Description: Binary data
exploit_20
Description: Binary data
- [Swftools-common] swftools-0.9.0 bug report,
Ildar Isaev <=