Microsoft Office 2007 lcbPlcffndTxt/fcPlfguidUim memory corruption

[GoogleCodeExporter]

The following access violation was observed in Microsoft Office 2007:

(7b4.d5c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000245d ebx=00003db4 ecx=03b57000 edx=000877e6 esi=0000001a edi=00087800
eip=31af194a esp=0011f654 ebp=0011f65c iopl=0         nv up ei ng nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010287
wwlib!wdCommandDispatch+0x46a0c3:
31af194a 66833c7900       cmp  word ptr [ecx+edi*2],0x0 ds:0023:03c66000=????
0:000> k
ChildEBP RetAddr
0011f65c 31818c6d wwlib!wdCommandDispatch+0x46a0c3
0011f690 319cf050 wwlib!wdCommandDispatch+0x1913e6
0011f6b4 315f0209 wwlib!wdCommandDispatch+0x3477c9
0011f998 31974378 wwlib!DllGetClassObject+0x174e62
0011ff88 3134ed9a wwlib!wdCommandDispatch+0x2ecaf1
00120194 3134eb07 wwlib!FMain+0x10a7eb
0012022c 6bdd1d83 wwlib!FMain+0x10a558
001202dc 6bdd24c8 MSPTLS!LssbFIsSublineEmpty+0x22cb
0012035c 6bddf8e0 MSPTLS!LssbFIsSublineEmpty+0x2a10
001203c0 6bddff5d MSPTLS!LssbFIsSublineEmpty+0xfe28
001203f0 6bddf1ef MSPTLS!LssbFIsSublineEmpty+0x104a5
001205f4 6bdc4b85 MSPTLS!LssbFIsSublineEmpty+0xf737
00120628 312dc82a MSPTLS!LsCreateLine+0x23
0012069c 312dc243 wwlib!FMain+0x9827b
00120704 312dbc97 wwlib!FMain+0x97c94
001207f4 6be51b27 wwlib!FMain+0x976e8
00120894 6be5c65b MSPTLS!FsDestroyMemory+0x1ee4e
00120a0c 6be5c94c MSPTLS!FsDestroyMemory+0x29982
00120a58 6be36d59 MSPTLS!FsDestroyMemory+0x29c73
00120ac4 6be37f87 MSPTLS!FsDestroyMemory+0x4080

Notes:

- Reproduces on Windows Server 2003 and Windows 7. Running the sample
with a fresh filename each time is recommended due to document
recovery interfering with reproduction on subsequent attempts.
- The accessed page is in state MEM_FREE.
- The crashing function reads off the end of a heap segment. It
appears to be counting the number of positive non-zero SHORT values in
an array from a supplied offset.
- The array bounds are supplied in the second argument to the
function. In the crashing case, this bounds value is set to
0x02000005.
- The same invalid bounds value is used in an immediately subsequent
function call in a calculation of the destination buffer address for a
memcpy, which suggests this bug is sufficient to cause memory
corruption.
- The test case reduces to a 2-bit difference from the original sample document.
- The affected bits are in the lcbPlcffndTxt field of the FibRgFcLcb97
(or FIBTable97) structure, and the fcPlfguidUim field of the
FibRgFcLcb2002 (or FIBTable2002) structure.
- Attached samples: 12c4c461_1_crash.doc (crashing file),
12c4c461_1_orig.doc (original file)

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by haw...@google.com on 16 Sep 2014 at 1:23

Attachments:

• 12c4c461_1_crash.doc
• 12c4c461_1_orig.doc

[GoogleCodeExporter]

Original comment by haw...@google.com on 16 Sep 2014 at 8:59

• Added labels: MSRC-20388

[GoogleCodeExporter]

Original comment by haw...@google.com on 19 Nov 2014 at 8:02

• Added labels: CVE-2014-6334

[GoogleCodeExporter]

Original comment by cev...@google.com on 20 Nov 2014 at 12:52

• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

Original comment by haw...@google.com on 20 Nov 2014 at 12:58

• Changed state: Fixed

[GoogleCodeExporter]

MS bulletin: https://technet.microsoft.com/library/security/MS14-069

Original comment by cev...@google.com on 20 Nov 2014 at 1:16

• Added labels: Fixed-2014-Nov-11

[GoogleCodeExporter]

Original comment by scvi...@google.com on 13 Jan 2015 at 12:23

• Added labels: Reported-2014-Sep-15
• Removed labels: Reported-2014-September-15