315 - Microsoft Office WordPerfect Invalid Copy Destination - project-zero

Starred by 2 users

Status:	Fixed
Owner:	hawkes@google.com
Closed:	Jun 2015
Cc:	project-...@google.com
Product-Office Reported-2015-Apr-1 Deadline-90 Finder-hawkes CCProjectZeroMembers Severity-High MSRC-21845 CVE-2015-1760 Vendor-Microsoft

Microsoft Office WordPerfect Invalid Copy Destination

Project Member Reported by hawkes@google.com, Apr 1 2015

Back to list

Microsoft Office supports the WordPerfect (WPD) file format, and will
load WPD files with a ".doc" filename extension. The following access
violation was observed in Microsoft Office (WordPerfect conversion,
all versions):

(6d0.360): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=43000000 ebx=0000005a ecx=00000049 edx=7c82845c esi=03874e80 edi=00670065
eip=03868b3e esp=0011f4b8 ebp=0011f4c4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
WPFT532!AbortRtfToForeign+0x6a79:
03868b3e f3a5            rep  movsd ds:03874e80=00001014 es:00670065=????????
0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0011f4c4 03859303 WPFT532!AbortRtfToForeign+0x6a79
0011f4dc 038594b8 WPFT532!EnumFontFamProc+0x1eb5
0011f720 03859abb WPFT532!EnumFontFamProc+0x206a
0011f744 0385ba18 WPFT532!EnumFontFamProc+0x266d
0011f780 038b6864 WPFT532!EnumFontFamProc+0x45ca
0011fa0c 03856c68 msconv97!FceForeignToRtf+0x264
0011fa38 31eab8bd WPFT532!ForeignToRtf32+0x56
0011fa64 31a3eb0c wwlib!DllCanUnloadNow+0x2d339c
0011fa98 31eabdf8 wwlib!wdCommandDispatch+0x365b15
001205c4 31a3f549 wwlib!DllCanUnloadNow+0x2d38d7
00121c98 31271d47 wwlib!wdCommandDispatch+0x366552
00122368 3129f0ee wwlib!FMain+0x2d790
00123468 3129e506 wwlib!FMain+0x5ab37
001234ac 3148d880 wwlib!FMain+0x59f4f
00126628 3148d5a1 wwlib!DllGetLCID+0xf43a
0012aa4c 3148d20e wwlib!DllGetLCID+0xf15b
0012aa9c 3148deac wwlib!DllGetLCID+0xedc8
0012dbf8 3148def1 wwlib!DllGetLCID+0xfa66
0012dc1c 31316bcb wwlib!DllGetLCID+0xfaab
0012ee80 31af3b3e wwlib!FMain+0xd2614

Notes:

- Reproduces on Windows Server 2003 (Office 2003), Windows 7 (Office
2010), and Windows 8.1 (Office 2013).

- The crash occurs due to a memcpy with an invalid destination buffer.

- The minimized test case has a 65 bit delta (chunk rearrangement
strategy) from the original file.

- The minimized test crashes on an out-of-bounds read just prior to
the memcpy operation - the pointer that is read from an out-of-bounds
address is used as the destination buffer.

- Attached files: 3522318102_crash.doc (crashing file),
3522318102_min.doc (minimized file), 3522318102_orig.doc (original
file)

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

3522318102_crash.doc
17.4 KB Download

3522318102_min.doc
17.4 KB Download

3522318102_orig.doc
17.4 KB Download

Project Member Comment 1 by hawkes@google.com, Apr 1 2015

Note that this issue only reproduces when opening via shell/explorer, not through the Office Open File dialog (Crtl+O).

Project Member Comment 2 by hawkes@google.com, Jun 19 2015

Labels: -Restrict-View-Commit CVE-2015-1760 MSRC-21845
Status: Fixed

Resolved in MS15-059.

Project Member Comment 3 by hawkes@google.com, Jun 19 2015

 Issue 317  has been merged into this issue.

► Sign in to add a comment