Headline
CVE-2023-26991: stack-use-after-scope exists in function swf_ReadSWF2 in lib/rfxswf.c · Issue #196 · matthiaskramm/swftools
SWFTools v0.9.2 was discovered to contain a stack-use-after-scope in the swf_ReadSWF2 function in lib/rfxswf.c.
==13979==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffd30700648 at pc 0x000000581b59 bp 0x7ffd30700550 sp 0x7ffd30700548
READ of size 4 at 0x7ffd30700648 thread T0
#0 0x581b58 in swf_ReadSWF2 /home/swftools//lib/rfxswf.c:1607:18
#1 0x581f8d in swf_ReadSWF /home/swftools/lib/rfxswf.c:1627:10
#2 0x4f9aaa in main /home/swftools/src/swfdump.c:1177:12
#3 0x7f9dd2219c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#4 0x41bcb9 in _start (/home/swftoolssrc/swfdump+0x41bcb9)
Address 0x7ffd30700648 is located in stack of thread T0 at offset 232 in frame
#0 0x580ccf in swf_ReadSWF2 /home/swftools/lib/rfxswf.c:1561
This frame has 3 object(s):
[32, 64) 'b' (line 1565)
[96, 152) 't1' (line 1568)
[192, 240) 'zreader' (line 1569) <== Memory access at offset 232 is inside this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope /home/swftools/lib/rfxswf.c:1607:18 in swf_ReadSWF2
Shadow bytes around the buggy address:
0x1000260d8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000260d8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000260d8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000260d80a0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x1000260d80b0: f8 f8 f8 f8 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f2
=>0x1000260d80c0: f2 f2 f2 f2 f8 f8 f8 f8 f8[f8]f3 f3 f3 f3 f3 f3
0x1000260d80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000260d80e0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x1000260d80f0: 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 00 00 00 00
0x1000260d8100: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x1000260d8110: f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f8 f2 f2 f2 f8 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==13979==ABORTING