[Libreoffice-bugs] [Bug 112269] New: There is a heap overflow in libwpd. This vulnerability can be triggered in libreoffice.
bugzilla-daemon at bugs.documentfoundation.org
bugzilla-daemon at bugs.documentfoundation.org
Thu Sep 7 09:08:05 UTC 2017
https://bugs.documentfoundation.org/show_bug.cgi?id=112269
Bug ID: 112269
Summary: There is a heap overflow in libwpd. This vulnerability
can be triggered in libreoffice.
Product: LibreOffice
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: medium
Component: LibreOffice
Assignee: libreoffice-bugs at lists.freedesktop.org
Reporter: v.owl337 at gmail.com
Description of problem:
There is a heap overflow in libwpd. This vulnerability has been triggered in
libreoffice. It may be exist in other office applications.
Version-Release number of selected component (if applicable):
<= latest version
How reproducible:
./wpd2html POC1
Steps to Reproduce:
=================================================================
==115429==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60400000dc44 at pc 0x7ffff7ad9911 bp 0x7fffffffd270 sp 0x7fffffffd268
READ of size 4 at 0x60400000dc44 thread T0
#0 0x7ffff7ad9910
(/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0xa5910)
#1 0x7ffff7acfaaa
(/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x9baaa)
#2 0x7ffff7ad1ef2
(/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x9def2)
#3 0x7ffff7b37554
(/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x103554)
#4 0x7ffff7a86cf6
(/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x52cf6)
#5 0x7ffff7aa944f
(/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x7544f)
#6 0x7ffff7a975cb
(/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x635cb)
#7 0x7ffff7a9835e
(/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x6435e)
#8 0x7ffff7b3628c
(/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x10228c)
#9 0x4ee0d5
(/home/icy/real/libwpd-0.10.1-asan/install/bin/wpd2html+0x4ee0d5)
#10 0x7ffff611682f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#11 0x4194d8
(/home/icy/real/libwpd-0.10.1-asan/install/bin/wpd2html+0x4194d8)
0x60400000dc44 is located 4 bytes to the right of 48-byte region
[0x60400000dc10,0x60400000dc40)
allocated by thread T0 here:
#0 0x4eabd0
(/home/icy/real/libwpd-0.10.1-asan/install/bin/wpd2html+0x4eabd0)
#1 0x7ffff7b5de49
(/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x129e49)
#2 0x7ffff7b5a3e4
(/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x1263e4)
#3 0x7ffff7adb15b
(/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0xa715b)
#4 0x7ffff7acf975
(/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x9b975)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0xa5910)
Shadow bytes around the buggy address:
0x0c087fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9b70: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 00
=>0x0c087fff9b80: fa fa 00 00 00 00 00 00[fa]fa 00 00 00 00 00 00
0x0c087fff9b90: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c087fff9ba0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c087fff9bb0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c087fff9bc0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c087fff9bd0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==115429==ABORTING
[Inferior 1 (process 115429) exited with code 01]
$./wpd2html POC1
Segmentation fault
The GDB debugging information is as follow:
(gdb)set args POC1
(gdb)r
(gdb) i b
Num Type Disp Enb Address What
5 breakpoint keep y 0x00007ffff7b87f37 in
WPXTableList::WPXTableList(WPXTableList const&)
at WPXTable.cpp:170
breakpoint already hit 18 times
(gdb) p m_refCount
$7 = (int *) 0x6e616d6f522077
(gdb) n
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b87f5d in WPXTableList::WPXTableList (this=0x7fffffffdbf8,
tableList=...) at WPXTable.cpp:170
170 (*m_refCount)++;
(gdb) bt
#0 0x00007ffff7b87f5d in WPXTableList::WPXTableList (this=0x7fffffffdbf8,
tableList=...) at WPXTable.cpp:170
#1 0x00007ffff7b37b6f in WPXHeaderFooter::getTableList (this=<optimized out>)
at ./WPXPageSpan.h:66
#2 WP5StylesListener::insertBreak (this=<optimized out>, breakType=<optimized
out>) at WP5StylesListener.cpp:94
#3 0x00007ffff7b31a01 in WP5Parser::parseDocument (input=<optimized out>,
encryption=<optimized out>,
listener=<optimized out>) at WP5Parser.cpp:102
#4 0x00007ffff7b332bd in WP5Parser::parseSubDocument (this=0x6284c0,
documentInterface=0x7fffffffe420)
at WP5Parser.cpp:234
#5 0x00007ffff7b6f5da in libwpd::WPDocument::parseSubDocument (input=0x6272c0,
textInterface=0x7fffffffe420,
fileFormat=<optimized out>) at WPDocument.cpp:460
#6 0x00007ffff7b0492a in WP3ContentListener::insertWP51Table
(this=0x7fffffffe1c8, height=<optimized out>,
width=<optimized out>, verticalOffset=<optimized out>,
horizontalOffset=<optimized out>,
leftColumn=<optimized out>, rightColumn=<optimized out>, figureFlags=65535,
subDocument=0x627280, caption=0x627320)
at WP3ContentListener.cpp:867
#7 0x00007ffff7b19826 in WP3WindowGroup::parse (this=0x6287e0,
listener=0x7fffffffe1c8) at WP3WindowGroup.cpp:144
#8 0x00007ffff7b0deee in WP3Parser::parseDocument (input=<optimized out>,
listener=<optimized out>,
encryption=<optimized out>) at WP3Parser.cpp:107
#9 WP3Parser::parse (this=<optimized out>, input=<optimized out>,
encryption=<optimized out>, listener=<optimized out>)
at WP3Parser.cpp:76
#10 0x00007ffff7b0e742 in WP3Parser::parse (this=<optimized out>,
textInterface=<optimized out>) at WP3Parser.cpp:153
#11 0x00007ffff7b6e6a1 in libwpd::WPDocument::parse (input=<optimized out>,
textInterface=<optimized out>, password=0x0)
at WPDocument.cpp:345
#12 0x00000000004018f2 in main (argc=<optimized out>, argv=<optimized out>) at
wpd2html.cpp:116
There is a error memory access in the function WPXTableList::WPXTableList() at
line WPXTable.cpp:170.
165 WPXTableList::WPXTableList(const WPXTableList &tableList) :
166 m_tableList(tableList.get()),
167 m_refCount(tableList.getRef())
168 {
169 if (m_refCount)
170 (*m_refCount)++;
171 }
Actual results:
crash
Expected results:
crash
Additional info:
This vulnerability is detected by team OWL337, with our custom fuzzer CollAFL.
Please contact ganshuitao at gmail.com and chaoz at tsinghua.edu.cn if you need more
info about the team, the tool or the vulnerability.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/libreoffice-bugs/attachments/20170907/c0ae8ec9/attachment.html>
More information about the Libreoffice-bugs
mailing list