Microsoft Office 2007 lcbPlcffndTxt/fcPlfguidUim memory corruption

[Nytro]

Microsoft Office 2007 lcbPlcffndTxt/fcPlfguidUim memory corruption

The following access violation was observed in Microsoft Office 2007:

(7b4.d5c): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=0000245d ebx=00003db4 ecx=03b57000 edx=000877e6 esi=0000001a edi=00087800

eip=31af194a esp=0011f654 ebp=0011f65c iopl=0 nv up ei ng nz na po cy

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010287

wwlib!wdCommandDispatch+0x46a0c3:

31af194a 66833c7900 cmp word ptr [ecx+edi*2],0x0 ds:0023:03c66000=????

0:000> k

ChildEBP RetAddr

0011f65c 31818c6d wwlib!wdCommandDispatch+0x46a0c3

0011f690 319cf050 wwlib!wdCommandDispatch+0x1913e6

0011f6b4 315f0209 wwlib!wdCommandDispatch+0x3477c9

0011f998 31974378 wwlib!DllGetClassObject+0x174e62

0011ff88 3134ed9a wwlib!wdCommandDispatch+0x2ecaf1

00120194 3134eb07 wwlib!FMain+0x10a7eb

0012022c 6bdd1d83 wwlib!FMain+0x10a558

001202dc 6bdd24c8 MSPTLS!LssbFIsSublineEmpty+0x22cb

0012035c 6bddf8e0 MSPTLS!LssbFIsSublineEmpty+0x2a10

001203c0 6bddff5d MSPTLS!LssbFIsSublineEmpty+0xfe28

001203f0 6bddf1ef MSPTLS!LssbFIsSublineEmpty+0x104a5

001205f4 6bdc4b85 MSPTLS!LssbFIsSublineEmpty+0xf737

00120628 312dc82a MSPTLS!LsCreateLine+0x23

0012069c 312dc243 wwlib!FMain+0x9827b

00120704 312dbc97 wwlib!FMain+0x97c94

001207f4 6be51b27 wwlib!FMain+0x976e8

00120894 6be5c65b MSPTLS!FsDestroyMemory+0x1ee4e

00120a0c 6be5c94c MSPTLS!FsDestroyMemory+0x29982

00120a58 6be36d59 MSPTLS!FsDestroyMemory+0x29c73

00120ac4 6be37f87 MSPTLS!FsDestroyMemory+0x4080

Notes:

- Reproduces on Windows Server 2003 and Windows 7. Running the sample

with a fresh filename each time is recommended due to document

recovery interfering with reproduction on subsequent attempts.

- The accessed page is in state MEM_FREE.

- The crashing function reads off the end of a heap segment. It

appears to be counting the number of positive non-zero SHORT values in

an array from a supplied offset.

- The array bounds are supplied in the second argument to the

function. In the crashing case, this bounds value is set to

0x02000005.

- The same invalid bounds value is used in an immediately subsequent

function call in a calculation of the destination buffer address for a

memcpy, which suggests this bug is sufficient to cause memory

corruption.

- The test case reduces to a 2-bit difference from the original sample document.

- The affected bits are in the lcbPlcffndTxt field of the FibRgFcLcb97

(or FIBTable97) structure, and the fcPlfguidUim field of the

FibRgFcLcb2002 (or FIBTable2002) structure.

- Attached samples: 12c4c461_1_crash.doc (crashing file),

12c4c461_1_orig.doc (original file)

This bug is subject to a 90 day disclosure deadline. If 90 days elapse

without a broadly available patch, then the bug report will automatically

become visible to the public.

[TABLE]

[TR]

[TD=width: 20] [/TD]

[TD] 12c4c461_1_crash.doc

149 KB Download [/TD]

[/TR]

[/TABLE]

[TABLE]

[TR]

[TD] [/TD]

[TD] 12c4c461_1_orig.doc

149 KB Download[/TD]

[/TR]

[/TABLE]

Sursa: https://code.google.com/p/google-security-research/issues/detail?id=108&can=1