[Libreoffice-bugs] [Bug 112269] New: There is a heap overflow in libwpd. This vulnerability can be triggered in libreoffice.

[bugzilla-daemon]

https://bugs.documentfoundation.org/show_bug.cgi?id=112269

            Bug ID: 112269
           Summary: There is a heap overflow in libwpd. This vulnerability
                    can be triggered in libreoffice.
           Product: LibreOffice
           Version: unspecified
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: medium
         Component: LibreOffice
          Assignee: libreoffice-bugs@lists.freedesktop.org
          Reporter: v.owl...@gmail.com

Description of problem:

There is a heap overflow in libwpd. This vulnerability has been triggered in
libreoffice. It may be exist in other office applications.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./wpd2html POC1

Steps to Reproduce:


=================================================================
==115429==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60400000dc44 at pc 0x7ffff7ad9911 bp 0x7fffffffd270 sp 0x7fffffffd268
READ of size 4 at 0x60400000dc44 thread T0
    #0 0x7ffff7ad9910 
(/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0xa5910)
    #1 0x7ffff7acfaaa 
(/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x9baaa)
    #2 0x7ffff7ad1ef2 
(/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x9def2)
    #3 0x7ffff7b37554 
(/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x103554)
    #4 0x7ffff7a86cf6 
(/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x52cf6)
    #5 0x7ffff7aa944f 
(/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x7544f)
    #6 0x7ffff7a975cb 
(/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x635cb)
    #7 0x7ffff7a9835e 
(/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x6435e)
    #8 0x7ffff7b3628c 
(/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x10228c)
    #9 0x4ee0d5 
(/home/icy/real/libwpd-0.10.1-asan/install/bin/wpd2html+0x4ee0d5)
    #10 0x7ffff611682f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x4194d8 
(/home/icy/real/libwpd-0.10.1-asan/install/bin/wpd2html+0x4194d8)

0x60400000dc44 is located 4 bytes to the right of 48-byte region
[0x60400000dc10,0x60400000dc40)
allocated by thread T0 here:
    #0 0x4eabd0 
(/home/icy/real/libwpd-0.10.1-asan/install/bin/wpd2html+0x4eabd0)
    #1 0x7ffff7b5de49 
(/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x129e49)
    #2 0x7ffff7b5a3e4 
(/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x1263e4)
    #3 0x7ffff7adb15b 
(/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0xa715b)
    #4 0x7ffff7acf975 
(/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x9b975)

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0xa5910) 
Shadow bytes around the buggy address:
  0x0c087fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9b70: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 00
=>0x0c087fff9b80: fa fa 00 00 00 00 00 00[fa]fa 00 00 00 00 00 00
  0x0c087fff9b90: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff9ba0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff9bb0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff9bc0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff9bd0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==115429==ABORTING
[Inferior 1 (process 115429) exited with code 01]


$./wpd2html POC1
Segmentation fault

The GDB debugging information is as follow:

(gdb)set args POC1
(gdb)r
(gdb) i b
Num     Type           Disp Enb Address            What
5       breakpoint     keep y   0x00007ffff7b87f37 in
WPXTableList::WPXTableList(WPXTableList const&) 
                                                   at WPXTable.cpp:170
        breakpoint already hit 18 times
(gdb) p m_refCount 
$7 = (int *) 0x6e616d6f522077
(gdb) n

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b87f5d in WPXTableList::WPXTableList (this=0x7fffffffdbf8,
tableList=...) at WPXTable.cpp:170
170                     (*m_refCount)++;
(gdb) bt
#0  0x00007ffff7b87f5d in WPXTableList::WPXTableList (this=0x7fffffffdbf8,
tableList=...) at WPXTable.cpp:170
#1  0x00007ffff7b37b6f in WPXHeaderFooter::getTableList (this=<optimized out>)
at ./WPXPageSpan.h:66
#2  WP5StylesListener::insertBreak (this=<optimized out>, breakType=<optimized
out>) at WP5StylesListener.cpp:94
#3  0x00007ffff7b31a01 in WP5Parser::parseDocument (input=<optimized out>,
encryption=<optimized out>, 
    listener=<optimized out>) at WP5Parser.cpp:102
#4  0x00007ffff7b332bd in WP5Parser::parseSubDocument (this=0x6284c0,
documentInterface=0x7fffffffe420)
    at WP5Parser.cpp:234
#5  0x00007ffff7b6f5da in libwpd::WPDocument::parseSubDocument (input=0x6272c0,
textInterface=0x7fffffffe420, 
    fileFormat=<optimized out>) at WPDocument.cpp:460
#6  0x00007ffff7b0492a in WP3ContentListener::insertWP51Table
(this=0x7fffffffe1c8, height=<optimized out>, 
    width=<optimized out>, verticalOffset=<optimized out>,
horizontalOffset=<optimized out>, 
    leftColumn=<optimized out>, rightColumn=<optimized out>, figureFlags=65535,
subDocument=0x627280, caption=0x627320)
    at WP3ContentListener.cpp:867
#7  0x00007ffff7b19826 in WP3WindowGroup::parse (this=0x6287e0,
listener=0x7fffffffe1c8) at WP3WindowGroup.cpp:144
#8  0x00007ffff7b0deee in WP3Parser::parseDocument (input=<optimized out>,
listener=<optimized out>, 
    encryption=<optimized out>) at WP3Parser.cpp:107
#9  WP3Parser::parse (this=<optimized out>, input=<optimized out>,
encryption=<optimized out>, listener=<optimized out>)
    at WP3Parser.cpp:76
#10 0x00007ffff7b0e742 in WP3Parser::parse (this=<optimized out>,
textInterface=<optimized out>) at WP3Parser.cpp:153
#11 0x00007ffff7b6e6a1 in libwpd::WPDocument::parse (input=<optimized out>,
textInterface=<optimized out>, password=0x0)
    at WPDocument.cpp:345
#12 0x00000000004018f2 in main (argc=<optimized out>, argv=<optimized out>) at
wpd2html.cpp:116


There is a error memory access in the function WPXTableList::WPXTableList() at
line WPXTable.cpp:170. 
165 WPXTableList::WPXTableList(const WPXTableList &tableList) :
166         m_tableList(tableList.get()),
167         m_refCount(tableList.getRef())
168 {
169         if (m_refCount)
170                 (*m_refCount)++;
171 }

Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer CollAFL.
Please contact ganshui...@gmail.com  and ch...@tsinghua.edu.cn if you need more
info about the team, the tool or the vulnerability.

-- 
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
Libreoffice-bugs mailing list
Libreoffice-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs