[Bug 171474] New: MSan: allocation-size-too-big in HWPStyle::Read() when parsing crafted HWP file

Tue, 24 Mar 2026 11:17:06 -0700 

https://bugs.documentfoundation.org/show_bug.cgi?id=171474

            Bug ID: 171474
           Summary: MSan: allocation-size-too-big in HWPStyle::Read() when
                    parsing crafted HWP file
           Product: LibreOffice
           Version: 3.3.0 release
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: medium
         Component: filters and storage
          Assignee: [email protected]
          Reporter: [email protected]

Description:
When parsing a crafted HWP (Hangul Word Processor) v3.0 file,
a field read from the file is used directly as an allocation 
size in HWPStyle::Read() at hstyle.cxx:126 without bounds 
validation.

MemorySanitizer reports "allocation-size-too-big" with size 
0xffffffffffffffff, indicating an attacker-controlled value 
from the file reaches a new[] call without sanitization.

This causes a hard crash when opening a crafted HWP file.
Denial of service is confirmed. Whether the unvalidated size
field can be further exploited has not been investigated.

The bug was found using MemorySanitizer via OSS-Fuzz.
Reproduces 100% of the time with attached test case.

Affected call chain:
HWPStyle::Read(HWPFile&)     hstyle.cxx:126
StyleRead()                  hwpfile.cxx:211
HWPFile::ReadHwpFile()       hwpfile.cxx:75
HwpReader::importHStream()   hwpreader.cxx:121

Attached: hwp_bad_alloc.bin (minimized crash reproducer)

Steps to Reproduce:
1. Download and open the attached hwp_bad_alloc.bin file 
   in LibreOffice Writer (rename to .hwp first)

2. Observe LibreOffice crashes immediately on opening the file

3. Run with MSan build to see full stack trace

Actual Results:
LibreOffice crashes immediately when opening the crafted HWP file.

MemorySanitizer reports:
ERROR: MemorySanitizer: requested allocation size 0xffffffffffffffff 
exceeds maximum supported size of 0x10000000000

in HWPStyle::Read(HWPFile&) at hwpfilter/source/hstyle.cxx:126

Expected Results:
LibreOffice should reject the malformed HWP file gracefully 
and display an error message to the user without crashing.


Reproducible: Always


User Profile Reset: No

Additional Info:
Found via MemorySanitizer (MSan) fuzzing using OSS-Fuzz infrastructure.
Reproduces 100% of the time with attached test case.

Full stack trace:
==18==ERROR: MemorySanitizer: requested allocation size 0xffffffffffffffff
exceeds maximum supported size of 0x10000000000
    #0 operator new[](unsigned long, std::nothrow_t const&)
msan_new_delete.cpp:60
    #1 HWPStyle::Read(HWPFile&) hstyle.cxx:126
    #2 StyleRead hwpfile.cxx:211
    #3 HWPFile::ReadHwpFile() hwpfile.cxx:75
    #4 HwpReader::importHStream() hwpreader.cxx:121
    #5 LLVMFuzzerTestOneInput hwpfuzzer.cxx:53

DEDUP_TOKEN: operator new[]--HWPStyle::Read(HWPFile&)--StyleRead

Note: Security-relevant crash. Attacker-controlled value from 
file reaches new[] without bounds validation. DoS confirmed.

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to