Microsoft Office 2007 PapxFkp rgbx bOffset memory corruption

[GoogleCodeExporter]

The following access violation was observed in Microsoft Office 2007:

(9c4.1ac): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=001d2e96 ebx=04c0dd00 ecx=00000000 edx=00ad0a04 esi=001d2e96 edi=04c0dd28
eip=312d4bf7 esp=0012067c ebp=0012067c iopl=0         nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
wwlib!FMain+0x90648:
312d4bf7 8b4808           mov     ecx,[eax+0x8]     ds:0023:001d2e9e=????????
0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0012067c 312d4be0 wwlib!FMain+0x90648
0012068c 320d2bcc wwlib!FMain+0x90631
00120888 6be435e4 wwlib!DllCanUnloadNow+0x576c43
00120910 6be6758f MSPTLS!FsDestroyMemory+0x1090b
00120990 6be66bfd MSPTLS!FsDestroyMemory+0x348b6
00120a50 6be446a0 MSPTLS!FsDestroyMemory+0x33f24
00120b54 6be44f13 MSPTLS!FsDestroyMemory+0x119c7
00120bb0 6be33537 MSPTLS!FsDestroyMemory+0x1223a
00120c64 6be2582c MSPTLS!FsDestroyMemory+0x85e
00120d40 6be4e8eb MSPTLS!FsQueryTableObjFigureListWord+0x2a0
00120dd0 6be4f1ff MSPTLS!FsDestroyMemory+0x1bc12
00120e74 6be4f362 MSPTLS!FsDestroyMemory+0x1c526
00120f14 6be4f5cc MSPTLS!FsDestroyMemory+0x1c689
001210c8 6be35d9f MSPTLS!FsDestroyMemory+0x1c8f3
001211dc 6be68cc0 MSPTLS!FsDestroyMemory+0x30c6
001212d4 6be4dfba MSPTLS!FsDestroyMemory+0x35fe7
00121428 6be35283 MSPTLS!FsDestroyMemory+0x1b2e1
0012147c 6be4914a MSPTLS!FsDestroyMemory+0x25aa
001214e0 6be63a7a MSPTLS!FsDestroyMemory+0x16471
00121570 6be63c4c MSPTLS!FsDestroyMemory+0x30da1

Notes:

- Reproduces on Windows Server 2003 and Windows 7.
- The first argument to the crashing function points to invalid memory.
- In testing, the crashing address commonly corresponds to the
reserved section of an existing heap segment.
- The crash occurs when reading a value from an invalid pointer, but
analysis shows that this is likely to result in memory corruption
(pseudo-code follows):

/* --- start snippet --- */
typedef struct {
    DWORD oo_ent_0;
    . . .
    DWORD oo_ent_20;
    DWORD oo_ent_24;
} other_obj;

typedef struct {
    other_obj *ent_0;
    DWORD ent_4;
    INT ent_8;
    DWORD ent_C;
    DWORD ent_10;
    . . .
} obj_type;

DWORD crash_func(obj_type *invalid) {
    INT x = invalid->ent_8; /* crash occurs here */

    if (x < 0) {
      x += invalid->ent_0->oo_ent_0;
    }

    return (DWORD) x;
}

DWORD crash_child(obj_type *invalid, DWORD x) {
    other_obj *y = invalid->ent_0;
    DWORD z = 0;

    if (x >= y->oo_ent_20) {
      z = y->ent_24;
    }

    return invalid->ent_4 + z;
}

obj_type *crash_parent(obj_type *invalid) {
    DWORD ret;

    ret = crash_func(invalid); /* read crash occurs in this function */
    ret = crash_child(invalid, ret);

    invalid->ent_10 = ret; /* memory corruption minimally occurs here */
    return invalid;
}
/* --- end snippet --- */

- Note that the invalid address is later dereferenced for a write
operation (on “ent_10”) in the crashing function’s parent.
- If due to heap layout there is a readable memory at the “invalid”
pointer location, then the crash may well occur on the dereference of
“invalid->ent_0->oo_ent_0” (i.e. mov eax, [eax]). This has been
observed in testing.
- The test-case reduces to a 1-bit difference from the original sample document.
- The affected bit is in the “bOffset” field of the PapxFkp rgbx structure.
- Attached samples: 68a7f675_1_crash.doc (crashing file),
68a7f675_1_orig.doc (original file)

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by haw...@google.com on 17 Sep 2014 at 1:12

Attachments:

• 68a7f675_1_crash.doc
• 68a7f675_1_orig.doc

[GoogleCodeExporter]

Original comment by haw...@google.com on 17 Sep 2014 at 9:21

• Added labels: Reported-2014-September-17
• Removed labels: Reported-2014-September-16

[GoogleCodeExporter]

Original comment by haw...@google.com on 17 Sep 2014 at 10:00

• Added labels: MSRC-20401

[GoogleCodeExporter]

Original comment by haw...@google.com on 19 Nov 2014 at 8:02

• Added labels: CVE-2014-6335

[GoogleCodeExporter]

Original comment by cev...@google.com on 20 Nov 2014 at 12:52

• Changed state: Fixed
• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

MS bulletin: https://technet.microsoft.com/library/security/MS14-069

Original comment by cev...@google.com on 20 Nov 2014 at 1:18

• Added labels: Fixed-2014-Nov-11

[GoogleCodeExporter]

Original comment by cev...@google.com on 20 Nov 2014 at 1:18

• Added labels: Vendor-Microsoft
• Removed labels: Vendor-Microsfot

[GoogleCodeExporter]

Original comment by scvi...@google.com on 13 Jan 2015 at 12:23

• Added labels: Reported-2014-Sep-17
• Removed labels: Reported-2014-September-17