libfuzzer@libfuzzer-virtual-machine:~/fuzzing/swfmill/src$ valgrind ./swfmill swf2xml ./swf2xml_crash_getWord
==1439== Memcheck, a memory error detector
==1439== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==1439== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==1439== Command: ./swfmill swf2xml ./swf2xml_crash_getWord
==1439==
WARNING: end of tag SetBackgroundColor is @22, should be @-956301294
==1439== Invalid read of size 1
==1439== at 0x416614: SWF::Reader::getWord() (SWFReader.cpp:43)
==1439== by 0x419445: SWF::Tag::get(SWF::Reader*, int, SWF::Context*) (SWFTag.cpp:8)
==1439== by 0x44CF8D: SWF::Header::parse(SWF::Reader*, int, SWF::Context*) (gSWFParser.cpp:426)
==1439== by 0x4181F9: SWF::File::load(_IO_FILE*, SWF::Context*, unsigned int) (SWFFile.cpp:88)
==1439== by 0x41DA26: swfmill_swf2xml(int, char**) (swfmill.cpp:135)
==1439== by 0x65F182F: (below main) (libc-start.c:291)
==1439== Address 0xffffffffd0118e32 is not stack'd, malloc'd or (recently) free'd
==1439==
==1439==
==1439== Process terminating with default action of signal 11 (SIGSEGV)
==1439== Access not within mapped region at address 0xFFFFFFFFD0118E32
==1439== at 0x416614: SWF::Reader::getWord() (SWFReader.cpp:43)
==1439== by 0x419445: SWF::Tag::get(SWF::Reader*, int, SWF::Context*) (SWFTag.cpp:8)
==1439== by 0x44CF8D: SWF::Header::parse(SWF::Reader*, int, SWF::Context*) (gSWFParser.cpp:426)
==1439== by 0x4181F9: SWF::File::load(_IO_FILE*, SWF::Context*, unsigned int) (SWFFile.cpp:88)
==1439== by 0x41DA26: swfmill_swf2xml(int, char**) (swfmill.cpp:135)
==1439== by 0x65F182F: (below main) (libc-start.c:291)
==1439== If you believe this happened as a result of a stack
==1439== overflow in your program's main thread (unlikely but
==1439== possible), you can try to increase the size of the
==1439== main thread stack using the --main-stacksize= flag.
==1439== The main thread stack size used in this run was 8388608.
==1439==
==1439== HEAP SUMMARY:
==1439== in use at exit: 81,549 bytes in 237 blocks
==1439== total heap usage: 239 allocs, 2 frees, 85,682 bytes allocated
==1439==
==1439== LEAK SUMMARY:
==1439== definitely lost: 0 bytes in 0 blocks
==1439== indirectly lost: 0 bytes in 0 blocks
==1439== possibly lost: 0 bytes in 0 blocks
==1439== still reachable: 81,549 bytes in 237 blocks
==1439== suppressed: 0 bytes in 0 blocks
==1439== Rerun with --leak-check=full to see details of leaked memory
==1439==
==1439== For counts of detected and suppressed errors, rerun with: -v
==1439== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segment Fault
**ASAN**
libfuzzer@libfuzzer-virtual-machine:~/fuzzing/swfmill/src$ ./swfmill swf2xml ./swf2xml_crash_getWord
WARNING: end of tag SetBackgroundColor is @22, should be @-956301294
ASAN:DEADLYSIGNAL
=================================================================
==9310==ERROR: AddressSanitizer: SEGV on unknown address 0x60bfc700bf92 (pc 0x000000502584 bp 0x60400000c9d0 sp 0x7ffd468fe748 T0)
#0 0x502583 (/home/libfuzzer/fuzzing/swfmill/src/swfmill+0x502583)
#1 0x5053b5 (/home/libfuzzer/fuzzing/swfmill/src/swfmill+0x5053b5)
#2 0x538efd (/home/libfuzzer/fuzzing/swfmill/src/swfmill+0x538efd)
#3 0x504169 (/home/libfuzzer/fuzzing/swfmill/src/swfmill+0x504169)
#4 0x509996 (/home/libfuzzer/fuzzing/swfmill/src/swfmill+0x509996)
#5 0x7fea0c92c82f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#6 0x41ebd8 (/home/libfuzzer/fuzzing/swfmill/src/swfmill+0x41ebd8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/libfuzzer/fuzzing/swfmill/src/swfmill+0x502583)
==9310==ABORTING
Crash File : https://raw.githubusercontent.com/lcatro/My_PoC/master/swfmill/swf2xml_crash_getWord
Trigger : ./swfmill swf2xml ./swf2xml_crash_getWord
Crash Detail :
valgrind