The following access violation was observed in Microsoft Office 2007 (Word):
(818.a8c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0012e0dc ebx=00000000 ecx=03df3800 edx=00000000 esi=32124af8 edi=00fd004d
eip=00fd004d esp=0012e0c4 ebp=0012ea84 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
00fd004d ffff ???
0:000> k
ChildEBP RetAddr
0012e0c0 31311ee5 0xfd004d
0012ea84 312a75ba wwlib!FMain+0xcd936
0012f3b4 312a74dc wwlib!FMain+0x6300b
0012f3d4 312a749b wwlib!FMain+0x62f2d
0012f3f4 312a7465 wwlib!FMain+0x62eec
0012f404 32687638 wwlib!FMain+0x62eb6
0012f41c 326edfb2 mso!Ordinal2503+0x1461
0012f434 326edb7a mso!Ordinal4676+0x2b6
0012f454 326d2157 mso!Ordinal1680+0x244
0012f474 326d1f88 mso!Ordinal7114+0x45
0012f49c 326e36e0 mso!Ordinal4515+0x88
0012f4b0 326e369b mso!Ordinal7156+0x475
0012f4c0 326e3657 mso!Ordinal7156+0x430
0012f4d0 326ebe32 mso!Ordinal7156+0x3ec
0012f4e8 326ebdd4 mso!Ordinal112+0x43e
0012f50c 326eb8fe mso!Ordinal112+0x3e0
0012f540 326f14b2 mso!Ordinal7348+0x8d
0012f560 326f0ffc mso!Ordinal2178+0x82
0012f584 326f14b2 mso!Ordinal2096+0x2b
0012f5a4 326ea7fd mso!Ordinal2178+0x82
Notes:
- Reproduces on Windows Server 2003 and Windows 7
- The crash manifests as an attempt to execute an invalid page. This
is because of an out-of-bounds dereference of structured data (each
entry being 0x30 bytes, including a function pointer) in the wwlib.dll
image.
- Breaking conditionally on the invalid structure entry in the parent
function shows that the invalid structure entry comes from a
calculation on the first argument added to a base address of
0x31365DD0 (in wwlib.dll version 12.0.6705.5000). This suggests that
the invalid pointer comes from a deterministic offset from the wwlib
image.
- The invalid index argument value equals 0x7014b, resulting in a
calculated offset of 0x18DE0. Typically, the index is bounded to be at
most (0x1FFF * 0x30 at instruction 312A751A in wwlib.dll version
12.0.6705.5000). However, when the the index argument value is not
8-byte aligned, there is a code path that can bypass the upper bound
enforcement.
- The crashing test case was created using a chunk rearrangement
strategy, and as such the differential from the original does not
cleanly minimize (390 bit deltas).
- Attached samples: b0ce839d_crash.doc (crashing file),
b0ce839d_orig.doc (original file)
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
