<html> <head> <base href="https://bugs.documentfoundation.org/"> </head> <body><table border="1" cellspacing="0" cellpadding="8"> <tr> <th>Bug ID</th> <td><a class="bz_bug_link bz_status_UNCONFIRMED " title="UNCONFIRMED - There is a heap overflow in libwpd. This vulnerability can be triggered in libreoffice." href="https://bugs.documentfoundation.org/show_bug.cgi?id=112269">112269</a> </td> </tr> <tr> <th>Summary</th> <td>There is a heap overflow in libwpd. This vulnerability can be triggered in libreoffice. </td> </tr> <tr> <th>Product</th> <td>LibreOffice </td> </tr> <tr> <th>Version</th> <td>unspecified </td> </tr> <tr> <th>Hardware</th> <td>All </td> </tr> <tr> <th>OS</th> <td>All </td> </tr> <tr> <th>Status</th> <td>UNCONFIRMED </td> </tr> <tr> <th>Severity</th> <td>normal </td> </tr> <tr> <th>Priority</th> <td>medium </td> </tr> <tr> <th>Component</th> <td>LibreOffice </td> </tr> <tr> <th>Assignee</th> <td>libreoffice-bugs@lists.freedesktop.org </td> </tr> <tr> <th>Reporter</th> <td>v.owl337@gmail.com </td> </tr></table> <p> <div> <pre>Description of problem: There is a heap overflow in libwpd. This vulnerability has been triggered in libreoffice. It may be exist in other office applications. Version-Release number of selected component (if applicable): <= latest version How reproducible: ./wpd2html POC1 Steps to Reproduce: ================================================================= ==115429==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000dc44 at pc 0x7ffff7ad9911 bp 0x7fffffffd270 sp 0x7fffffffd268 READ of size 4 at 0x60400000dc44 thread T0 #0 0x7ffff7ad9910 (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0xa5910) #1 0x7ffff7acfaaa (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x9baaa) #2 0x7ffff7ad1ef2 (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x9def2) #3 0x7ffff7b37554 (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x103554) #4 0x7ffff7a86cf6 (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x52cf6) #5 0x7ffff7aa944f (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x7544f) #6 0x7ffff7a975cb (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x635cb) #7 0x7ffff7a9835e (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x6435e) #8 0x7ffff7b3628c (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x10228c) #9 0x4ee0d5 (/home/icy/real/libwpd-0.10.1-asan/install/bin/wpd2html+0x4ee0d5) #10 0x7ffff611682f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #11 0x4194d8 (/home/icy/real/libwpd-0.10.1-asan/install/bin/wpd2html+0x4194d8) 0x60400000dc44 is located 4 bytes to the right of 48-byte region [0x60400000dc10,0x60400000dc40) allocated by thread T0 here: #0 0x4eabd0 (/home/icy/real/libwpd-0.10.1-asan/install/bin/wpd2html+0x4eabd0) #1 0x7ffff7b5de49 (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x129e49) #2 0x7ffff7b5a3e4 (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x1263e4) #3 0x7ffff7adb15b (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0xa715b) #4 0x7ffff7acf975 (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x9b975) SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0xa5910) Shadow bytes around the buggy address: 0x0c087fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9b70: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 00 =>0x0c087fff9b80: fa fa 00 00 00 00 00 00[fa]fa 00 00 00 00 00 00 0x0c087fff9b90: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c087fff9ba0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c087fff9bb0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c087fff9bc0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c087fff9bd0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==115429==ABORTING [Inferior 1 (process 115429) exited with code 01] $./wpd2html POC1 Segmentation fault The GDB debugging information is as follow: (gdb)set args POC1 (gdb)r (gdb) i b Num Type Disp Enb Address What 5 breakpoint keep y 0x00007ffff7b87f37 in WPXTableList::WPXTableList(WPXTableList const&) at WPXTable.cpp:170 breakpoint already hit 18 times (gdb) p m_refCount $7 = (int *) 0x6e616d6f522077 (gdb) n Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7b87f5d in WPXTableList::WPXTableList (this=0x7fffffffdbf8, tableList=...) at WPXTable.cpp:170 170 (*m_refCount)++; (gdb) bt #0 0x00007ffff7b87f5d in WPXTableList::WPXTableList (this=0x7fffffffdbf8, tableList=...) at WPXTable.cpp:170 #1 0x00007ffff7b37b6f in WPXHeaderFooter::getTableList (this=<optimized out>) at ./WPXPageSpan.h:66 #2 WP5StylesListener::insertBreak (this=<optimized out>, breakType=<optimized out>) at WP5StylesListener.cpp:94 #3 0x00007ffff7b31a01 in WP5Parser::parseDocument (input=<optimized out>, encryption=<optimized out>, listener=<optimized out>) at WP5Parser.cpp:102 #4 0x00007ffff7b332bd in WP5Parser::parseSubDocument (this=0x6284c0, documentInterface=0x7fffffffe420) at WP5Parser.cpp:234 #5 0x00007ffff7b6f5da in libwpd::WPDocument::parseSubDocument (input=0x6272c0, textInterface=0x7fffffffe420, fileFormat=<optimized out>) at WPDocument.cpp:460 #6 0x00007ffff7b0492a in WP3ContentListener::insertWP51Table (this=0x7fffffffe1c8, height=<optimized out>, width=<optimized out>, verticalOffset=<optimized out>, horizontalOffset=<optimized out>, leftColumn=<optimized out>, rightColumn=<optimized out>, figureFlags=65535, subDocument=0x627280, caption=0x627320) at WP3ContentListener.cpp:867 #7 0x00007ffff7b19826 in WP3WindowGroup::parse (this=0x6287e0, listener=0x7fffffffe1c8) at WP3WindowGroup.cpp:144 #8 0x00007ffff7b0deee in WP3Parser::parseDocument (input=<optimized out>, listener=<optimized out>, encryption=<optimized out>) at WP3Parser.cpp:107 #9 WP3Parser::parse (this=<optimized out>, input=<optimized out>, encryption=<optimized out>, listener=<optimized out>) at WP3Parser.cpp:76 #10 0x00007ffff7b0e742 in WP3Parser::parse (this=<optimized out>, textInterface=<optimized out>) at WP3Parser.cpp:153 #11 0x00007ffff7b6e6a1 in libwpd::WPDocument::parse (input=<optimized out>, textInterface=<optimized out>, password=0x0) at WPDocument.cpp:345 #12 0x00000000004018f2 in main (argc=<optimized out>, argv=<optimized out>) at wpd2html.cpp:116 There is a error memory access in the function WPXTableList::WPXTableList() at line WPXTable.cpp:170. 165 WPXTableList::WPXTableList(const WPXTableList &tableList) : 166 m_tableList(tableList.get()), 167 m_refCount(tableList.getRef()) 168 { 169 if (m_refCount) 170 (*m_refCount)++; 171 } Actual results: crash Expected results: crash Additional info: This vulnerability is detected by team OWL337, with our custom fuzzer CollAFL. Please contact <a href="mailto:ganshuitao@gmail.com">ganshuitao@gmail.com</a> and <a href="mailto:chaoz@tsinghua.edu.cn">chaoz@tsinghua.edu.cn</a> if you need more info about the team, the tool or the vulnerability.</pre> </div> </p> <hr> <span>You are receiving this mail because:</span> <ul> <li>You are the assignee for the bug.</li> </ul> </body> </html>