The following access violation was observed in Microsoft Office 2007:
(c08.df0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00150448 ebx=00000003 ecx=0022bd28 edx=00150000 esi=0023ae68 edi=00000000
eip=feeefeee esp=00129350 ebp=001293b8 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
feeefeee ?? ???
0:000> k
ChildEBP RetAddr
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012934c 6520d0b2 0xfeeefeee
00129354 651de772 VBE6!ExtendedControl_Release+0xd
00129364 651de7c6 VBE6!CVBAControlMgr::PreDestructControlRec+0x47
00129378 65176fc0 VBE6!CVBAControlMgr::ReleaseReferences+0x27
001293b8 65177022 VBE6!VBAExtension::UnadviseAndRelease+0x1b3
001293d0 65177325 VBE6!VBAExtension::ZombieMe+0x22
001293dc 65163105 VBE6!TipZombieInstances+0x29
001293f8 65122c41 VBE6!EbCloseProject+0x10d
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for C:\Program Files\Microsoft Office\Office12\wwlib.dll -
0012940c 31342633 VBE6!CVbeProject::Close+0x85
00129424 313422c9 wwlib!FMain+0xfe084
00129434 313421e3 wwlib!FMain+0xfdd1a
0012944c 31341e81 wwlib!FMain+0xfdc34
00129478 31341ae1 wwlib!FMain+0xfd8d2
00129484 3134076f wwlib!FMain+0xfd532
001294c0 3133f33a wwlib!FMain+0xfc1c0
00129510 3133ed9a wwlib!FMain+0xfad8b
00129530 3133dac1 wwlib!FMain+0xfa7eb
00129598 3133d84f wwlib!FMain+0xf9512
0012a618 320bd72f wwlib!FMain+0xf92a0
0012a6ac 7739b6e3 wwlib!DllCanUnloadNow+0x5617a6
Notes:
- Reproduces on Windows Server 2003 and Windows 7.
- When opening the document, a dialog box with the text “The
dimensions after cropping are too small or too large”
- Upon closing the document, the crash occurs.
- Appears to be a use-after-free in VBA’s ExtendedControl class
(vbe6.dll) triggered by CVBAControlMgr’s PreDestructControlRec method.
- The crash occurs when a vtable is used from an already freed object,
resulting in eip being set to the heap free checking constant.
- The test case reduces to a 5-bit difference from the original sample document.
- Three of these bits seem to have particular relevance in causing the
crashing behavior: a modification to a “Data” field in a
WordDocumentStream structure, and 2 modifications to an embedded
object (DataStream).
- Attached samples: cac47ead_1_crash.doc (crashing file),
cac47ead_1_orig.doc (original file)
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
