Description of problem: There is a heap overflow in libwpd. This vulnerability has been triggered in libreoffice. It may be exist in other office applications. Version-Release number of selected component (if applicable): <= latest version How reproducible: ./wpd2html POC1 Steps to Reproduce: ================================================================= ==115429==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000dc44 at pc 0x7ffff7ad9911 bp 0x7fffffffd270 sp 0x7fffffffd268 READ of size 4 at 0x60400000dc44 thread T0 #0 0x7ffff7ad9910 (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0xa5910) #1 0x7ffff7acfaaa (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x9baaa) #2 0x7ffff7ad1ef2 (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x9def2) #3 0x7ffff7b37554 (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x103554) #4 0x7ffff7a86cf6 (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x52cf6) #5 0x7ffff7aa944f (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x7544f) #6 0x7ffff7a975cb (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x635cb) #7 0x7ffff7a9835e (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x6435e) #8 0x7ffff7b3628c (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x10228c) #9 0x4ee0d5 (/home/icy/real/libwpd-0.10.1-asan/install/bin/wpd2html+0x4ee0d5) #10 0x7ffff611682f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #11 0x4194d8 (/home/icy/real/libwpd-0.10.1-asan/install/bin/wpd2html+0x4194d8) 0x60400000dc44 is located 4 bytes to the right of 48-byte region [0x60400000dc10,0x60400000dc40) allocated by thread T0 here: #0 0x4eabd0 (/home/icy/real/libwpd-0.10.1-asan/install/bin/wpd2html+0x4eabd0) #1 0x7ffff7b5de49 (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x129e49) #2 0x7ffff7b5a3e4 (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x1263e4) #3 0x7ffff7adb15b (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0xa715b) #4 0x7ffff7acf975 (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x9b975) SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0xa5910) Shadow bytes around the buggy address: 0x0c087fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9b70: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 00 =>0x0c087fff9b80: fa fa 00 00 00 00 00 00[fa]fa 00 00 00 00 00 00 0x0c087fff9b90: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c087fff9ba0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c087fff9bb0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c087fff9bc0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c087fff9bd0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==115429==ABORTING [Inferior 1 (process 115429) exited with code 01] $./wpd2html POC1 Segmentation fault The GDB debugging information is as follow: (gdb)set args POC1 (gdb)r (gdb) i b Num Type Disp Enb Address What 5 breakpoint keep y 0x00007ffff7b87f37 in WPXTableList::WPXTableList(WPXTableList const&) at WPXTable.cpp:170 breakpoint already hit 18 times (gdb) p m_refCount $7 = (int *) 0x6e616d6f522077 (gdb) n Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7b87f5d in WPXTableList::WPXTableList (this=0x7fffffffdbf8, tableList=...) at WPXTable.cpp:170 170 (*m_refCount)++; (gdb) bt #0 0x00007ffff7b87f5d in WPXTableList::WPXTableList (this=0x7fffffffdbf8, tableList=...) at WPXTable.cpp:170 #1 0x00007ffff7b37b6f in WPXHeaderFooter::getTableList (this=<optimized out>) at ./WPXPageSpan.h:66 #2 WP5StylesListener::insertBreak (this=<optimized out>, breakType=<optimized out>) at WP5StylesListener.cpp:94 #3 0x00007ffff7b31a01 in WP5Parser::parseDocument (input=<optimized out>, encryption=<optimized out>, listener=<optimized out>) at WP5Parser.cpp:102 #4 0x00007ffff7b332bd in WP5Parser::parseSubDocument (this=0x6284c0, documentInterface=0x7fffffffe420) at WP5Parser.cpp:234 #5 0x00007ffff7b6f5da in libwpd::WPDocument::parseSubDocument (input=0x6272c0, textInterface=0x7fffffffe420, fileFormat=<optimized out>) at WPDocument.cpp:460 #6 0x00007ffff7b0492a in WP3ContentListener::insertWP51Table (this=0x7fffffffe1c8, height=<optimized out>, width=<optimized out>, verticalOffset=<optimized out>, horizontalOffset=<optimized out>, leftColumn=<optimized out>, rightColumn=<optimized out>, figureFlags=65535, subDocument=0x627280, caption=0x627320) at WP3ContentListener.cpp:867 #7 0x00007ffff7b19826 in WP3WindowGroup::parse (this=0x6287e0, listener=0x7fffffffe1c8) at WP3WindowGroup.cpp:144 #8 0x00007ffff7b0deee in WP3Parser::parseDocument (input=<optimized out>, listener=<optimized out>, encryption=<optimized out>) at WP3Parser.cpp:107 #9 WP3Parser::parse (this=<optimized out>, input=<optimized out>, encryption=<optimized out>, listener=<optimized out>) at WP3Parser.cpp:76 #10 0x00007ffff7b0e742 in WP3Parser::parse (this=<optimized out>, textInterface=<optimized out>) at WP3Parser.cpp:153 #11 0x00007ffff7b6e6a1 in libwpd::WPDocument::parse (input=<optimized out>, textInterface=<optimized out>, password=0x0) at WPDocument.cpp:345 #12 0x00000000004018f2 in main (argc=<optimized out>, argv=<optimized out>) at wpd2html.cpp:116 There is a error memory access in the function WPXTableList::WPXTableList() at line WPXTable.cpp:170. 165 WPXTableList::WPXTableList(const WPXTableList &tableList) : 166 m_tableList(tableList.get()), 167 m_refCount(tableList.getRef()) 168 { 169 if (m_refCount) 170 (*m_refCount)++; 171 } Actual results: crash Expected results: crash Additional info: This vulnerability is detected by team OWL337, with our custom fuzzer CollAFL. Please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
We also report this vulnerability to "https://bugzilla.redhat.com/show_bug.cgi?id=1489337" because libwpd pays impact in other office applications.
David: since it concerns libwpd, thought you might be interested in this one?
https://sourceforge.net/p/libwpd/tickets/14/
Caolán McNamara committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=dd89afa6ee8166b69e7a1e86f22616ca8fc122c9 Resolves: tdf#112269 libwpd fix It will be available in 6.0.0. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Caolán McNamara committed a patch related to this issue. It has been pushed to "libreoffice-5-3": http://cgit.freedesktop.org/libreoffice/core/commit/?id=05da1c67e49a2d758799db735a826c4d292fea44&h=libreoffice-5-3 Resolves: tdf#112269 libwpd fix It will be available in 5.3.7. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Caolán McNamara committed a patch related to this issue. It has been pushed to "libreoffice-5-4": http://cgit.freedesktop.org/libreoffice/core/commit/?id=c0d54f7080a22074cac7eeb78893116c36114871&h=libreoffice-5-4 Resolves: tdf#112269 libwpd fix It will be available in 5.4.2. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Does the issue already fixed? any current update? Thanks Waynem Ccollough https://amsterdamdiary.com/
Yes, fixed in 5.4.2, 5.3.7 and 6.0.0
(In reply to Caolán McNamara from comment #8) > Yes, fixed in 5.4.2, 5.3.7 and 6.0.0 Thank you :)
There is a heap overflow in libwpd. This vulnerability has been triggered in libreoffice. It may be exist in other office applications. here https://wp.me/p9bau2-jh
David: since it concerns libwpd, thought you might be interested in this one? https://wp.me/9bau2/