|
|
Microsoft Office 2007 PapxFkp rgbx bOffset memory corruption | ||||||
| Project Member Reported by hawkes@google.com, Sep 17 2014 | Back to list | ||||||
The following access violation was observed in Microsoft Office 2007:
(9c4.1ac): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=001d2e96 ebx=04c0dd00 ecx=00000000 edx=00ad0a04 esi=001d2e96 edi=04c0dd28
eip=312d4bf7 esp=0012067c ebp=0012067c iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
wwlib!FMain+0x90648:
312d4bf7 8b4808 mov ecx,[eax+0x8] ds:0023:001d2e9e=????????
0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0012067c 312d4be0 wwlib!FMain+0x90648
0012068c 320d2bcc wwlib!FMain+0x90631
00120888 6be435e4 wwlib!DllCanUnloadNow+0x576c43
00120910 6be6758f MSPTLS!FsDestroyMemory+0x1090b
00120990 6be66bfd MSPTLS!FsDestroyMemory+0x348b6
00120a50 6be446a0 MSPTLS!FsDestroyMemory+0x33f24
00120b54 6be44f13 MSPTLS!FsDestroyMemory+0x119c7
00120bb0 6be33537 MSPTLS!FsDestroyMemory+0x1223a
00120c64 6be2582c MSPTLS!FsDestroyMemory+0x85e
00120d40 6be4e8eb MSPTLS!FsQueryTableObjFigureListWord+0x2a0
00120dd0 6be4f1ff MSPTLS!FsDestroyMemory+0x1bc12
00120e74 6be4f362 MSPTLS!FsDestroyMemory+0x1c526
00120f14 6be4f5cc MSPTLS!FsDestroyMemory+0x1c689
001210c8 6be35d9f MSPTLS!FsDestroyMemory+0x1c8f3
001211dc 6be68cc0 MSPTLS!FsDestroyMemory+0x30c6
001212d4 6be4dfba MSPTLS!FsDestroyMemory+0x35fe7
00121428 6be35283 MSPTLS!FsDestroyMemory+0x1b2e1
0012147c 6be4914a MSPTLS!FsDestroyMemory+0x25aa
001214e0 6be63a7a MSPTLS!FsDestroyMemory+0x16471
00121570 6be63c4c MSPTLS!FsDestroyMemory+0x30da1
Notes:
- Reproduces on Windows Server 2003 and Windows 7.
- The first argument to the crashing function points to invalid memory.
- In testing, the crashing address commonly corresponds to the
reserved section of an existing heap segment.
- The crash occurs when reading a value from an invalid pointer, but
analysis shows that this is likely to result in memory corruption
(pseudo-code follows):
/* --- start snippet --- */
typedef struct {
DWORD oo_ent_0;
. . .
DWORD oo_ent_20;
DWORD oo_ent_24;
} other_obj;
typedef struct {
other_obj *ent_0;
DWORD ent_4;
INT ent_8;
DWORD ent_C;
DWORD ent_10;
. . .
} obj_type;
DWORD crash_func(obj_type *invalid) {
INT x = invalid->ent_8; /* crash occurs here */
if (x < 0) {
x += invalid->ent_0->oo_ent_0;
}
return (DWORD) x;
}
DWORD crash_child(obj_type *invalid, DWORD x) {
other_obj *y = invalid->ent_0;
DWORD z = 0;
if (x >= y->oo_ent_20) {
z = y->ent_24;
}
return invalid->ent_4 + z;
}
obj_type *crash_parent(obj_type *invalid) {
DWORD ret;
ret = crash_func(invalid); /* read crash occurs in this function */
ret = crash_child(invalid, ret);
invalid->ent_10 = ret; /* memory corruption minimally occurs here */
return invalid;
}
/* --- end snippet --- */
- Note that the invalid address is later dereferenced for a write
operation (on “ent_10”) in the crashing function’s parent.
- If due to heap layout there is a readable memory at the “invalid”
pointer location, then the crash may well occur on the dereference of
“invalid->ent_0->oo_ent_0” (i.e. mov eax, [eax]). This has been
observed in testing.
- The test-case reduces to a 1-bit difference from the original sample document.
- The affected bit is in the “bOffset” field of the PapxFkp rgbx structure.
- Attached samples: 68a7f675_1_crash.doc (crashing file),
68a7f675_1_orig.doc (original file)
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
Project Member
Comment 1
by
hawkes@google.com,
Sep 17 2014
,
Sep 17 2014
,
Nov 19 2014
,
Nov 20 2014
,
Nov 20 2014
,
Nov 20 2014
,
Jan 13 2015
|
|||||||
| ► Sign in to add a comment | |||||||
