You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Some crashes were found while fuzz testing of the lvg_test binary which can be triggered via malformed LVG and SWF files. Although these malformed files only crash the program, they could potentially be crafted further into security issues where these kinds of files would be able compromise the process's memory through memory corruption, so hardening the code to prevent these kinds of bugs would be great to mitigate such issues.
See details below for repro and debug information.
$ lvg_test crash.swf
free(): invalid next size (fast)
Aborted (core dumped)
$ gdb -q lvg_test
Reading symbols from lvg_test...
(No debugging symbols found in lvg_test)
(gdb) r crash.swf
Starting program: lvg_test crash.swf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
free(): invalid next size (fast)
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff7dd5859 in __GI_abort () at abort.c:79
#2 0x00007ffff7e403ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7f6a285 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3 0x00007ffff7e4847c in malloc_printerr (str=str@entry=0x7ffff7f6c600 "free(): invalid next size (fast)") at malloc.c:5347
#4 0x00007ffff7e49d2c in _int_free (av=0x7ffff7f9bb80 <main_arena>, p=0x5555555bb4b0, have_lock=0) at malloc.c:4249
#5 0x0000555555586c3b in ()
#6 0x00007fffffffe298 in ()
#7 0x0000000000000176 in ()
#8 0x0000000000000000 in ()
(gdb) i r
rax 0x0 0
rbx 0x7fffefb8be40 140737215249984
rcx 0x7ffff7df618b 140737351999883
rdx 0x0 0
rsi 0x7fffffffddc0 140737488346560
rdi 0x2 2
rbp 0x7fffffffe110 0x7fffffffe110
rsp 0x7fffffffddc0 0x7fffffffddc0
r8 0x0 0
r9 0x7fffffffddc0 140737488346560
r10 0x8 8
r11 0x246 582
r12 0x7fffffffe030 140737488347184
r13 0x10 16
r14 0x7ffff7ffb000 140737354117120
r15 0x1 1
rip 0x7ffff7df618b 0x7ffff7df618b <__GI_raise+203>
eflags 0x246 [ PF ZF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) x/i $rip
=> 0x7ffff7df618b <__GI_raise+203>: mov 0x108(%rsp),%rax
(gdb) exploitable
Description: Possible stack corruption
Short description: PossibleStackCorruption (7/22)
Hash: 75e3432b00f849a15e4751fc016bf27b.2d530e50f9061d0333ac98fc1ba1d5f2
Exploitability Classification: EXPLOITABLE
Explanation: GDB generated an error while unwinding the stack and/or the stack contained return addresses that were not mapped in the inferior's process address space and/or the stack pointer is pointing to a location outside the default stack region. These conditions likely indicate stack corruption, which is generally considered exploitable.
Other tags: HeapError (10/22), AbortSignal (20/22)
The text was updated successfully, but these errors were encountered:
Hi team,
Some crashes were found while fuzz testing of the lvg_test binary which can be triggered via malformed LVG and SWF files. Although these malformed files only crash the program, they could potentially be crafted further into security issues where these kinds of files would be able compromise the process's memory through memory corruption, so hardening the code to prevent these kinds of bugs would be great to mitigate such issues.
See details below for repro and debug information.
Repro
crash.lvg.txt
Repro
crash.swf.txt
The text was updated successfully, but these errors were encountered: