CVE-2024-22957

Vulnerability

An out-of-bounds read vulnerability exists in swftools version 0.9.2 in the dict_do_lookup function within lib/q.c at line 1190 [1]. The issue occurs when processing a specially crafted SWF file using the swfc tool. The vulnerable code path is reachable during font analysis and command argument parsing, as shown by the call stack from main through firstPass, findFontUsage, analyseArgumentsForCommand, lu, map_lookup, dict_lookup, and finally dict_do_lookup [1].

Exploitation

An attacker can exploit this vulnerability by providing a malicious SWF file to the swfc binary [1]. No authentication or special privileges are required; the attacker only needs to convince a user to process the crafted file with swfc. The crash is triggered automatically when swfc parses the file, leading to a segmentation fault due to an out-of-bounds read [1].

Impact

Successful exploitation results in a denial of service (DoS) condition, as the application crashes with a segmentation fault [1]. The AddressSanitizer report indicates a read access violation at address 0x0, suggesting a null pointer dereference or out-of-bounds read that leads to a crash [1]. No code execution or privilege escalation has been demonstrated in the available references.

Mitigation

As of the publication date, no patch has been released for this vulnerability [1]. Users are advised to avoid processing untrusted SWF files with swftools 0.9.2 or consider using alternative tools. The project appears to be unmaintained, so no fix is expected. Restricting access to the swfc binary and monitoring for unusual crashes are temporary workarounds.