|
|
Microsoft Office 2007 TTDeleteEmbeddedFont handle double delete | ||||
| Project Member Reported by hawkes@google.com, Sep 15 2014 | Back to list | ||||
The following access violation was observed in Microsoft Office 2007: (7a4.808): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000001 ebx=feeefeee ecx=7ffdf000 edx=00150608 esi=00150000 edi=feeefee6 eip=7c87c9e1 esp=0012f244 ebp=0012f298 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 ntdll!RtlDebugFreeHeap+0x82: 7c87c9e1 0fb707 movzx eax,word ptr [edi] ds:0023:feeefee6=???? 0:000> k ChildEBP RetAddr 0012f298 7c85567a ntdll!RtlDebugFreeHeap+0x82 0012f370 7c83e448 ntdll!RtlFreeHeapSlowly+0x37 0012f454 73c37fb4 ntdll!RtlFreeHeap+0x11a 0012f468 73c34a77 T2EMBED!T2free+0x1d 0012f86c 31dbbb54 T2EMBED!TTDeleteEmbeddedFont+0x7c 0012f884 31dbbae9 wwlib!DllCanUnloadNow+0x25fbcb 0012f8ec 313406d8 wwlib!DllCanUnloadNow+0x25fb60 0012f92c 3135944d wwlib!FMain+0xfc129 0012f950 3135926c wwlib!FMain+0x114e9e 0012f95c 31359231 wwlib!FMain+0x114cbd 0012f984 31244c5b wwlib!FMain+0x114c82 0012ff10 300015fb wwlib!FMain+0x6ac 0012ff30 3000156d winword+0x15fb 0012ffc0 77e6f32b winword+0x156d 0012fff0 00000000 kernel32!BaseProcessStart+0x23 Notes: - Reproduces on Windows Server 2003 (as an access violation) and Windows 7 (as a heap critical error) - Opening the document causes “Word experienced an error trying to open the file.” dialog. After closing the dialog, and then closing Word, the crash occurs. - The dereference of the “heap free checking constant” suggests use-after-free. - Analysis shows the third argument of RtlpDebugPageHeapFree is 0xfeeefeee - this suggests that a pointer from a previously freed chunk is itself being freed. - The callstack may suggest a misuse of the font embedding API. For example, this could be caused by multiple calls to TTDeleteEmbeddedFont using the same font reference handle. - Breakpointing the TTDeleteEmbeddedFont and recording the handle argument confirms that a font reference handle is deleted twice. - The test case reduces to a 1-bit difference from the original sample document. - The affected bit is in the lcbSttbfBkmkArto field of the FibRgFcLcb2007 (or FIBTable2007) structure. - Attached samples: 9adcab7c_1_crash.doc (crashing file), 9adcab7c_1_orig.doc (original file) This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
Project Member
Comment 1
by
hawkes@google.com,
Sep 16 2014
,
Nov 19 2014
,
Nov 20 2014
,
Nov 20 2014
,
Jan 13 2015
|
|||||
| ► Sign in to add a comment | |||||