Microsoft Office 2007 TTDeleteEmbeddedFont handle double delete

[Nytro]

Microsoft Office 2007 TTDeleteEmbeddedFont handle double delete

The following access violation was observed in Microsoft Office 2007:

(7a4.808): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=00000001 ebx=feeefeee ecx=7ffdf000 edx=00150608 esi=00150000 edi=feeefee6

eip=7c87c9e1 esp=0012f244 ebp=0012f298 iopl=0 nv up ei pl zr na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246

ntdll!RtlDebugFreeHeap+0x82:

7c87c9e1 0fb707 movzx eax,word ptr [edi] ds:0023:feeefee6=????

0:000> k

ChildEBP RetAddr

0012f298 7c85567a ntdll!RtlDebugFreeHeap+0x82

0012f370 7c83e448 ntdll!RtlFreeHeapSlowly+0x37

0012f454 73c37fb4 ntdll!RtlFreeHeap+0x11a

0012f468 73c34a77 T2EMBED!T2free+0x1d

0012f86c 31dbbb54 T2EMBED!TTDeleteEmbeddedFont+0x7c

0012f884 31dbbae9 wwlib!DllCanUnloadNow+0x25fbcb

0012f8ec 313406d8 wwlib!DllCanUnloadNow+0x25fb60

0012f92c 3135944d wwlib!FMain+0xfc129

0012f950 3135926c wwlib!FMain+0x114e9e

0012f95c 31359231 wwlib!FMain+0x114cbd

0012f984 31244c5b wwlib!FMain+0x114c82

0012ff10 300015fb wwlib!FMain+0x6ac

0012ff30 3000156d winword+0x15fb

0012ffc0 77e6f32b winword+0x156d

0012fff0 00000000 kernel32!BaseProcessStart+0x23

Notes:

- Reproduces on Windows Server 2003 (as an access violation) and

Windows 7 (as a heap critical error)

- Opening the document causes “Word experienced an error trying to

open the file.” dialog. After closing the dialog, and then closing

Word, the crash occurs.

- The dereference of the “heap free checking constant” suggests use-after-free.

- Analysis shows the third argument of RtlpDebugPageHeapFree is

0xfeeefeee - this suggests that a pointer from a previously freed

chunk is itself being freed.

- The callstack may suggest a misuse of the font embedding API. For

example, this could be caused by multiple calls to

TTDeleteEmbeddedFont using the same font reference handle.

- Breakpointing the TTDeleteEmbeddedFont and recording the handle

argument confirms that a font reference handle is deleted twice.

- The test case reduces to a 1-bit difference from the original sample document.

- The affected bit is in the lcbSttbfBkmkArto field of the

FibRgFcLcb2007 (or FIBTable2007) structure.

- Attached samples: 9adcab7c_1_crash.doc (crashing file),

9adcab7c_1_orig.doc (original file)

This bug is subject to a 90 day disclosure deadline. If 90 days elapse

without a broadly available patch, then the bug report will automatically

become visible to the public.

[TABLE]

[TR]

[TD=width: 20] [/TD]

[TD] 9adcab7c_1_crash.doc

1.2 MB Download [/TD]

[/TR]

[/TABLE]

[TABLE]

[TR]

[TD] [/TD]

[TD] 9adcab7c_1_orig.doc

1.2 MB Download[/TD]

[/TR]

[/TABLE]

Sursa: https://code.google.com/p/google-security-research/issues/detail?id=107&can=1