Microsoft Office 2007 MsoDrawingGroup rgChildRec invalid GlobalFree

[GoogleCodeExporter]

The following access violation was observed in Microsoft Office 2007:

(b14.afc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=b50506e9 ecx=7ffdd000 edx=00160608 esi=00160000 edi=b50506e1
eip=7c87c9e1 esp=00135294 ebp=001352e8 iopl=0         nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
ntdll!RtlDebugFreeHeap+0x82:
7c87c9e1 0fb707           movzx   eax,word ptr [edi]    ds:0023:b50506e1=????
0:000> k
ChildEBP RetAddr
001352e8 7c85567a ntdll!RtlDebugFreeHeap+0x82
001353c0 7c83e448 ntdll!RtlFreeHeapSlowly+0x37
001354a4 77e5cc9a ntdll!RtlFreeHeap+0x11a
001354ec 30791b21 kernel32!GlobalFree+0x3b
0013550c 302d5fec Excel!Ordinal40+0x791b21
0013577c 302950a4 Excel!Ordinal40+0x2d5fec
00135790 302d5f4b Excel!Ordinal40+0x2950a4
001357c4 302d3469 Excel!Ordinal40+0x2d5f4b
001357fc 3043f21c Excel!Ordinal40+0x2d3469
00135a78 302b816f Excel!Ordinal40+0x43f21c
00135aa4 3013e745 Excel!Ordinal40+0x2b816f
00135b30 3013ce22 Excel!Ordinal40+0x13e745
00135d6c 3013dfeb Excel!Ordinal40+0x13ce22
0013bc4c 301284cb Excel!Ordinal40+0x13dfeb
0013e244 30127d70 Excel!Ordinal40+0x1284cb
0013e518 30128830 Excel!Ordinal40+0x127d70
0013e7d4 301aa633 Excel!Ordinal40+0x128830
0013faa4 301aa8a3 Excel!Ordinal40+0x1aa633
0013fab8 30030ae1 Excel!Ordinal40+0x1aa8a3
0013fd08 303da450 Excel!Ordinal40+0x30ae1

Notes:

- Reproduces on Windows Server 2003 and Windows 7.
- An invalid global memory object is being freed. This could be used
to free an otherwise allocated global memory object, which could then
be reallocated over an in-use chunk, resulting in memory corruption.
- The minimized sample commonly triggers a crash on IsBadReadPtr in an
earlier GlobalLock that is called just prior to the GlobalFree seen
above.
- The test-case reduces to a 1-bit difference from the original sample document.
- The affected bit is in the “remainingData” field of the “rgChildRec”
structure belonging to an MSODrawingGroup.
- Attached samples: c1efe67d_crash.xls (crashing file),
c1efe67d_orig.xls (original file)

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by haw...@google.com on 29 Sep 2014 at 10:46

Attachments:

• c1efe67d_crash.xls
• c1efe67d_orig.xls

[GoogleCodeExporter]

Original comment by haw...@google.com on 30 Sep 2014 at 3:14

• Added labels: MSRC-20539

[GoogleCodeExporter]

Fixed in https://technet.microsoft.com/library/security/ms14-083

Original comment by fors...@google.com on 29 Dec 2014 at 12:50

• Changed state: Fixed
• Added labels: CVE-2014-6360, Fixed-2014-Dec-9
• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

Original comment by scvi...@google.com on 13 Jan 2015 at 12:24

• Added labels: Reported-2014-Sep-29
• Removed labels: Reported-2014-September-29

[GoogleCodeExporter]

Excel Viewer 2007 is also affected, but they did not issue a fix.

Original comment by yuhongba...@hotmail.com on 16 Jan 2015 at 6:42