SWFReader.cpp SWF::Reader::getWord() Invalide Address Access

[lcatro]

Crash File : https://raw.githubusercontent.com/lcatro/My_PoC/master/swfmill/swf2xml_crash_getWord

Trigger : ./swfmill swf2xml ./swf2xml_crash_getWord

Crash Detail :

valgrind

libfuzzer@libfuzzer-virtual-machine:~/fuzzing/swfmill/src$ valgrind ./swfmill swf2xml ./swf2xml_crash_getWord 
==1439== Memcheck, a memory error detector
==1439== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==1439== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==1439== Command: ./swfmill swf2xml ./swf2xml_crash_getWord
==1439== 
WARNING: end of tag SetBackgroundColor is @22, should be @-956301294
==1439== Invalid read of size 1
==1439==    at 0x416614: SWF::Reader::getWord() (SWFReader.cpp:43)
==1439==    by 0x419445: SWF::Tag::get(SWF::Reader*, int, SWF::Context*) (SWFTag.cpp:8)
==1439==    by 0x44CF8D: SWF::Header::parse(SWF::Reader*, int, SWF::Context*) (gSWFParser.cpp:426)
==1439==    by 0x4181F9: SWF::File::load(_IO_FILE*, SWF::Context*, unsigned int) (SWFFile.cpp:88)
==1439==    by 0x41DA26: swfmill_swf2xml(int, char**) (swfmill.cpp:135)
==1439==    by 0x65F182F: (below main) (libc-start.c:291)
==1439==  Address 0xffffffffd0118e32 is not stack'd, malloc'd or (recently) free'd
==1439== 
==1439== 
==1439== Process terminating with default action of signal 11 (SIGSEGV)
==1439==  Access not within mapped region at address 0xFFFFFFFFD0118E32
==1439==    at 0x416614: SWF::Reader::getWord() (SWFReader.cpp:43)
==1439==    by 0x419445: SWF::Tag::get(SWF::Reader*, int, SWF::Context*) (SWFTag.cpp:8)
==1439==    by 0x44CF8D: SWF::Header::parse(SWF::Reader*, int, SWF::Context*) (gSWFParser.cpp:426)
==1439==    by 0x4181F9: SWF::File::load(_IO_FILE*, SWF::Context*, unsigned int) (SWFFile.cpp:88)
==1439==    by 0x41DA26: swfmill_swf2xml(int, char**) (swfmill.cpp:135)
==1439==    by 0x65F182F: (below main) (libc-start.c:291)
==1439==  If you believe this happened as a result of a stack
==1439==  overflow in your program's main thread (unlikely but
==1439==  possible), you can try to increase the size of the
==1439==  main thread stack using the --main-stacksize= flag.
==1439==  The main thread stack size used in this run was 8388608.
==1439== 
==1439== HEAP SUMMARY:
==1439==     in use at exit: 81,549 bytes in 237 blocks
==1439==   total heap usage: 239 allocs, 2 frees, 85,682 bytes allocated
==1439== 
==1439== LEAK SUMMARY:
==1439==    definitely lost: 0 bytes in 0 blocks
==1439==    indirectly lost: 0 bytes in 0 blocks
==1439==      possibly lost: 0 bytes in 0 blocks
==1439==    still reachable: 81,549 bytes in 237 blocks
==1439==         suppressed: 0 bytes in 0 blocks
==1439== Rerun with --leak-check=full to see details of leaked memory
==1439== 
==1439== For counts of detected and suppressed errors, rerun with: -v
==1439== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segment Fault

**ASAN**

libfuzzer@libfuzzer-virtual-machine:~/fuzzing/swfmill/src$ ./swfmill swf2xml ./swf2xml_crash_getWord 
WARNING: end of tag SetBackgroundColor is @22, should be @-956301294
ASAN:DEADLYSIGNAL
=================================================================
==9310==ERROR: AddressSanitizer: SEGV on unknown address 0x60bfc700bf92 (pc 0x000000502584 bp 0x60400000c9d0 sp 0x7ffd468fe748 T0)
    #0 0x502583  (/home/libfuzzer/fuzzing/swfmill/src/swfmill+0x502583)
    #1 0x5053b5  (/home/libfuzzer/fuzzing/swfmill/src/swfmill+0x5053b5)
    #2 0x538efd  (/home/libfuzzer/fuzzing/swfmill/src/swfmill+0x538efd)
    #3 0x504169  (/home/libfuzzer/fuzzing/swfmill/src/swfmill+0x504169)
    #4 0x509996  (/home/libfuzzer/fuzzing/swfmill/src/swfmill+0x509996)
    #5 0x7fea0c92c82f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x41ebd8  (/home/libfuzzer/fuzzing/swfmill/src/swfmill+0x41ebd8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/libfuzzer/fuzzing/swfmill/src/swfmill+0x502583) 
==9310==ABORTING