search

VegarLH / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Microsoft Office WordPerfect Invalid XOR #317

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Microsoft Office supports the WordPerfect (WPD) file format, and will
load WPD files with a ".doc" filename extension. The following access
violation was observed in Microsoft Office (WordPerfect conversion,
all versions):

(d70.dbc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00001130 ebx=0000000b ecx=00000026 edx=0000006e esi=0389aee0 edi=0011f51c
eip=0383f125 esp=0011f428 ebp=0011f4ac iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
WPFT532!ConvertForeignToRtf+0x36ec:
0383f125 334609           xor     eax,[esi+0x9]     ds:0023:0389aee9=????????
0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0011f4ac 0384655b WPFT532!ConvertForeignToRtf+0x36ec
0011f4c4 038392b4 WPFT532!AbortRtfToForeign+0x4496
0011f4dc 038394b8 WPFT532!EnumFontFamProc+0x1e66
0011f720 03839abb WPFT532!EnumFontFamProc+0x206a
0011f744 0383ba18 WPFT532!EnumFontFamProc+0x266d
0011f780 03886864 WPFT532!EnumFontFamProc+0x45ca
0011fa0c 03836c68 msconv97!FceForeignToRtf+0x264
0011fa38 31eab8bd WPFT532!ForeignToRtf32+0x56
0011fa64 31a3eb0c wwlib!DllCanUnloadNow+0x2d339c
0011fa98 31eabdf8 wwlib!wdCommandDispatch+0x365b15
001205c4 31a3f549 wwlib!DllCanUnloadNow+0x2d38d7
00121c98 31271d47 wwlib!wdCommandDispatch+0x366552
00122368 3129f0ee wwlib!FMain+0x2d790
00123468 3129e506 wwlib!FMain+0x5ab37
001234ac 3148d880 wwlib!FMain+0x59f4f
00126628 3148d5a1 wwlib!DllGetLCID+0xf43a
0012aa4c 3148d20e wwlib!DllGetLCID+0xf15b
0012aa9c 3148deac wwlib!DllGetLCID+0xedc8
0012dbf8 3148def1 wwlib!DllGetLCID+0xfa66
0012dc1c 31316bcb wwlib!DllGetLCID+0xfaab

Notes:

- Reproduces on Windows Server 2003 (Office 2003), Windows 7 (Office
2010), and Windows 8.1 (Office 2013). Only reproduces when opening via
shell/explorer, not through the Office Open File dialog (Crtl+O).

- The value read from esi+9 is used in an XOR followed by an AND
instruction, and then the resulting value is written back to esi+9.

- Other writes to esi may also occur in close proximity to this crash.

- The crash has also been observed as an access violation on XOR
write, sometimes attempting to write to an image module. This is
commonly seen on Office 2010/Office 2013.

- The crash does not cleanly minimize (chunk reordering strategy).
Attached files: 2305852164_crash.doc (crashing file),
2305852164_orig.doc (original file)

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by haw...@google.com on 1 Apr 2015 at 10:10

Attachments:

GoogleCodeExporter commented 9 years ago 
This was reported to be a duplicate of 
https://code.google.com/p/google-security-research/issues/detail?id=315 
("Microsoft Office WordPerfect Invalid Copy Destination"), which was resolved 
in MS15-059.

Original comment by haw...@google.com on 19 Jun 2015 at 8:02