Microsoft Office 2007 and 2010 RTF frmtxtbrl EIP corruption

[GoogleCodeExporter]

The following crash was observed in MS Office 2007 running under Windows 2003 
x86. Microsoft Office File Validation Add-In is disabled and application 
verified was enabled for testing and reproduction. This sample also reproduced 
in Office 2010 running on Windows 7 x86. It did not reproduce in Microsoft 
Office 2013 running under Windows 8.1 x86.

To reproduce place this string in a file with the extension .rtf and open with 
MS Word 2007 or 2010.

{\rtf1{\pn\pnlvlbody\pndbnuml}\absw9\chatn\sect\frmtxtbrl\par}

DLL Versions:
wwlib.dll: 12.0.6726.5000
mso.dll: 12.0.6721.5000

eax=0348e320 ebx=0000000d ecx=00000a10 edx=00129c54 esi=0e79efa0 edi=0e7a2f20
eip=00000000 esp=00129c20 ebp=00129c80 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
00000000 ??              ???

0:000> kb L8
ChildEBP RetAddr  Args to Child              
WARNING: Frame IP not in any known module. Following frames may be wrong.
00129c1c 6bdd3086 0eb5aff0 00129c54 00129cdc 0x0
00129c80 6bde446e 034a2ec4 00129cf4 00000001 MSPTLS!LssbFIsSublineEmpty+0x35ce
00129cac 6bde5386 034a2ec0 00129cf4 00129d80 MSPTLS!LssbFIsSublineEmpty+0x149b6
00129d28 6bde54c2 0e78afa0 00129d80 00129ff0 MSPTLS!LssbFIsSublineEmpty+0x158ce
00129d50 6bddf354 034a2ec0 00129ecc 0e78afa0 MSPTLS!LssbFIsSublineEmpty+0x15a0a
00129f54 6bdc4b85 0348e320 000000f4 00000733 MSPTLS!LssbFIsSublineEmpty+0xf89c
00129f88 318e7807 0348e320 000000f4 00000733 MSPTLS!LsCreateLine+0x23
00129ffc 315c85ea 0357d088 0deac9c0 000000f4 wwlib!DllGetClassObject+0x1c36ac

EIP has been set to NULL with the following code:

.text:6BDD3050                 mov     edx, [eax+0Ch]
.text:6BDD3053                 imul    ecx, 0B8h
.text:6BDD3059                 mov     [ebp+var_2C], edx
.text:6BDD305C                 mov     edx, [eax+1Ch]
.text:6BDD305F                 mov     [ebp+var_28], edx
.text:6BDD3062                 lea     edx, [eax+3Ch]
.text:6BDD3065                 mov     [ebp+var_24], edx
.text:6BDD3068                 mov     edx, [eax+4Ch]
.text:6BDD306B                 mov     [ebp+var_20], edx
.text:6BDD306E                 lea     edx, [ebp+var_4]
.text:6BDD3071                 push    edx
.text:6BDD3072                 push    [ebp+arg_10]
.text:6BDD3075                 lea     edx, [ebp+var_2C]
.text:6BDD3078                 push    edx
.text:6BDD3079                 push    dword ptr [eax+70h]
.text:6BDD307C                 mov     eax, [ebp+var_10]
.text:6BDD307F                 call    dword ptr [ecx+eax+25Ch]

Eax is pointing to a valid memory range, however it appears that ecx is being 
used as an index into an array of 0xb8 sized objects and that ecx is either out 
of bounds or the expected object at that location is uninitialized.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by scvi...@google.com on 29 Jul 2015 at 2:57

[GoogleCodeExporter]

Original comment by scvi...@google.com on 30 Jul 2015 at 2:11

• Added labels: Reported-2015-Jul-29, id-30740
• Removed labels: Reported-2015-July-29

[GoogleCodeExporter]

Microsoft won't fix this bug as they contend it is a non-exploitable issue, 
i.e. the call will always send EIP to NULL. Removing view restrictions.

Original comment by scvi...@google.com on 7 Oct 2015 at 6:29

• Changed state: WontFix
• Added labels: Severity-Low
• Removed labels: Restrict-View-Commit, Severity-High