Headline
CVE-2018-3929: TALOS-2018-0596 || Cisco Talos Intelligence Group
An exploitable heap corruption exists in the PowerPoint document conversion functionality of the Antenna House Office Server Document Converter version V6.1 Pro MR2 for Linux64 (6,1,2018,0312). A crafted PowerPoint (PPT) document can lead to heap corruption, resulting in remote code execution.
Summary
An exploitable heap corruption exists in the PowerPoint document conversion functionality of the Antenna House Office Server Document Converter version V6.1 Pro MR2 for Linux64 (6,1,2018,0312). A crafted PowerPoint (PPT) document can lead to heap corruption, resulting in remote code execution.
Tested Versions
Office Server Document Converter version V6.1 Pro MR2 for Linux64 (6,1,2018,0312)
Product URLs
https://www.rainbowpdf.com/batch-office-server-document-converter/
CVSSv3 Score
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE
CWE-787: Out-of-bounds Write
Details
This vulnerability is present in the Antenna House Office Server Document Converter, which is used as a document converter in many server enterprise solutions.
It can convert common formats, such as Microsoft’s document formats into more usable and easily viewed formats. There is a vulnerability in the conversion process of a PowerPoint (PPT) to PDF, JPEG and several other formats. A specially crafted PowerPoint (PPT) file can lead to heap corruption and remote code execution. Let’s investigate this vulnerability. After we attempt to convert a malicious PowerPoint using the OSDC library, we see the following state:
icewall@ubuntu:/usr/OfficeServerDocumentConverter$ valgrind bin/SBCCmd -d ./crashes/3ec9a0fd9000e26b2479d49afdb8ed68 -p @PDF -o /tmp/x.pdf
==37421== Memcheck, a memory error detector
==37421== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==37421== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==37421== Command: bin/SBCCmd -d ./crashes/3ec9a0fd9000e26b2479d49afdb8ed68 -p @PDF -o /tmp/x.pdf
==37421==
SBCCmd : Office Server Document Converter V6.1 Pro MR2 for Linux64 (6,1,2018,0312)
Copyright (c) 1999-2018 Antenna House, Inc.
==37421== Invalid write of size 1
==37421== at 0x4C3275B: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==37421== by 0xF8AFFAA: std::basic_streambuf<char, std::char_traits<char> >::xsgetn(char*, long) (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==37421== by 0xF87CC7D: std::basic_filebuf<char, std::char_traits<char> >::xsgetn(char*, long) (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==37421== by 0xF8898EA: std::istream::read(char*, long) (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==37421== by 0x5EDCBAA: OleCompNS::AHJzStreamIOobj::Read(char*, int) const (in /usr/OfficeServerDocumentConverter/lib/libDfvGraphic.so.6.1)
==37421== by 0x5ED6674: OleCompNS::AHOleCompStream::OLEread(unsigned char*, unsigned int) (in /usr/OfficeServerDocumentConverter/lib/libDfvGraphic.so.6.1)
==37421== by 0x90D9FEF: DfvCommon::MSORecParseContext::readRecordData(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvCommon.so.6.1)
==37421== by 0xA9341C7: DfvPptReaderNS::SlidePersistAtom::parse(DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==37421== by 0xA939924: DfvPptReaderNS::SlideStub::parseSlidePersist(DfvCommon::MSORecordHeader&, DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==37421== by 0xA9476D2: DfvPptReaderNS::PPTDocument::parseSlideList(DfvCommon::MSORecordHeader&, DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==37421== by 0xA9489BD: DfvPptReaderNS::PPTDocument::parseDocument() (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==37421== by 0xA948DC7: DfvPptReaderNS::PPTDocument::InitSub() (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==37421== Address 0x118b93be is 0 bytes after a block of size 110 alloc'd
==37421== at 0x4C2E80F: operator new[](unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==37421== by 0x90D9F39: DfvCommon::MSORecParseContext::allocBuffer(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvCommon.so.6.1)
==37421== by 0x90D9FD0: DfvCommon::MSORecParseContext::readRecordData(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvCommon.so.6.1)
==37421== by 0xA942E6E: DfvPptReaderNS::TxMasterStyleAtom::parse(DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==37421== by 0xA942DBA: DfvPptReaderNS::PPTDocument::parseEnvironment(DfvCommon::MSORecordHeader&, DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==37421== by 0xA9488E5: DfvPptReaderNS::PPTDocument::parseDocument() (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==37421== by 0xA948DC7: DfvPptReaderNS::PPTDocument::InitSub() (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==37421== by 0xA94910F: DfvPptReaderNS::PPTDocument::Init(std::istream*, icu_52::UnicodeString const&) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==37421== by 0xA91C312: DfvPptReaderNS::DfvPptReader::initDocument(std::istream*, int, int) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==37421== by 0x6856D98: DfvInterface::DfvIfObject::getTreeGenerator(OleCompNS::AHOleCompFile::OLEDOCUMENT_TYPE, std::istream*, icu_52::UnicodeString const&, AHCommonNS::AHTempFile&) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==37421== by 0x686008A: DfvInterface::DfvIfObject::executeV4(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==37421== by 0x686196F: DfvInterface::DfvIfObject::execute(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==37421==
As we can see, a heap-based buffer overflow appeared during the memcpy operation.
Looking at call stacks, we can see that the overflowed buffer has been allocated during operations related with the TxMasterStyleAtom record. Further investigation revealed that 0x110 is indeed the TxMasterStyleAtom record size. Next, let’s debug the OleCompNS::AHOleCompStream::OLEread method during parsing of the SlidePersistAtom record. Pseudo code for the function looks as follows:
Line 1 __int64 __fastcall OleCompNS::AHOleCompStream::OLEread(struct_this *this, BYTE *buffer, unsigned int _amount)
Line 2 {
Line 3
Line 6 seek_pos = this->current_record_offset;
Line 7
Line 8 if ( _amount > this->streamSize) )
Line 9 _amount = this->streamSize - seek_pos;
Line 10 if ( this->dword38 )
Line 11 v11 = v10->qword68;
Line 12 else
Line 13 v11 = v10->qword60;
Line 14 toRead = v11 - seek_pos % v11;
Line 15 readedTotal = 0;
Line 16 currentOffset = 0;
Line 17 if ( _amount )
Line 18 {
Line 19 while ( OleCompNS::AHOleCompStream::OLESeek( seek_pos, 0LL) >= 0 )
Line 20 {
Line 21 if ( toRead > _amount )
Line 22 toRead = _amount;
Line 23 readed = OleCompNS::AHJzStreamIOobj::Read( buffer + currentOffset, toRead);
Line 24 if ( readed != toRead )
Line 25 break;
Line 26 readedTotal += readed;
Line 27 currentOffset += readed;
Line 28 _amount -= readed;
Line 29 seek_pos = this->current_record_offset + readed;
Line 30 v16 = this->dword38 == 0;
Line 31 v17 = (struct_v17 *)this->qword8;
Line 32 this->current_record_offset = seek_pos;
Line 33 if ( v16 )
Line 34 {
Line 35 toRead = v17->dword60;
Line 36 if ( !_amount )
Line 37 return readedTotal;
Line 38 }
Line 39 else
Line 40 {
Line 41 toRead = v17->dword68;
Line 42 if ( !_amount )
Line 43 return readedTotal;
Line 44 }
Line 45 }
Line 46 }
Line 47 return readedTotal;
Line 48 }
The _amount argument is set to the SlidePersistAtom record size. In our case, this is 0xff000014. StreamSize is the size of Compound File Directory Entry, in this case PowerPoint Document with value 0xF97. As we can see at line 8-9 if _amount is bigger than streamSize, the _amount argument is set with result of the subtraction of streamSize and seek_pos which equals the current record offset. Next, inside the while loop, data is read from a file into the buffer in the amount equal to the value of the _amount argument. A heap-based buffer overflow can occur in two scenarios: - When the _amount argument is bigger than previously allocated space for the buffer, but smaller than streamSize and - When _amount is bigger than streamSize, but the result of the subtraction of streamSize and seek_pos (the current record offset) is bigger than previously allocated buffer. Both critical scenarios lead to heap memory corruption and give an attacker a possibility to remotely execute arbitrary code.
Crash Information
icewall@ubuntu:/usr/OfficeServerDocumentConverter$ valgrind bin/SBCCmd -d ./crashes/3ec9a0fd9000e26b2479d49afdb8ed68 -p @PDF -o /tmp/test.pdf
==38054== Memcheck, a memory error detector
==38054== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==38054== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==38054== Command: bin/SBCCmd -d ./crashes/3ec9a0fd9000e26b2479d49afdb8ed68 -p @PDF -o /tmp/test.pdf
==38054==
SBCCmd : Office Server Document Converter V6.1 Pro MR2 for Linux64 (6,1,2018,0312)
Copyright (c) 1999-2018 Antenna House, Inc.
---------------------------------------
This is an EVALUATION version.
Prohibits the use of evaluation version
for the real business activity.
Expire Date : Jun 06, 2018
---------------------------------------
==38054== Invalid write of size 1
==38054== at 0x4C3275B: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==38054== by 0xF8AFFAA: std::basic_streambuf<char, std::char_traits<char> >::xsgetn(char*, long) (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==38054== by 0xF87CC7D: std::basic_filebuf<char, std::char_traits<char> >::xsgetn(char*, long) (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==38054== by 0xF8898EA: std::istream::read(char*, long) (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==38054== by 0x5EDCBAA: OleCompNS::AHJzStreamIOobj::Read(char*, int) const (in /usr/OfficeServerDocumentConverter/lib/libDfvGraphic.so.6.1)
==38054== by 0x5ED6674: OleCompNS::AHOleCompStream::OLEread(unsigned char*, unsigned int) (in /usr/OfficeServerDocumentConverter/lib/libDfvGraphic.so.6.1)
==38054== by 0x90D9FEF: DfvCommon::MSORecParseContext::readRecordData(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvCommon.so.6.1)
==38054== by 0xA9341C7: DfvPptReaderNS::SlidePersistAtom::parse(DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054== by 0xA939924: DfvPptReaderNS::SlideStub::parseSlidePersist(DfvCommon::MSORecordHeader&, DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054== by 0xA9476D2: DfvPptReaderNS::PPTDocument::parseSlideList(DfvCommon::MSORecordHeader&, DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054== by 0xA9489BD: DfvPptReaderNS::PPTDocument::parseDocument() (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054== by 0xA948DC7: DfvPptReaderNS::PPTDocument::InitSub() (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054== Address 0x118b93de is 0 bytes after a block of size 110 alloc'd
==38054== at 0x4C2E80F: operator new[](unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==38054== by 0x90D9F39: DfvCommon::MSORecParseContext::allocBuffer(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvCommon.so.6.1)
==38054== by 0x90D9FD0: DfvCommon::MSORecParseContext::readRecordData(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvCommon.so.6.1)
==38054== by 0xA942E6E: DfvPptReaderNS::TxMasterStyleAtom::parse(DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054== by 0xA942DBA: DfvPptReaderNS::PPTDocument::parseEnvironment(DfvCommon::MSORecordHeader&, DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054== by 0xA9488E5: DfvPptReaderNS::PPTDocument::parseDocument() (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054== by 0xA948DC7: DfvPptReaderNS::PPTDocument::InitSub() (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054== by 0xA94910F: DfvPptReaderNS::PPTDocument::Init(std::istream*, icu_52::UnicodeString const&) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054== by 0xA91C312: DfvPptReaderNS::DfvPptReader::initDocument(std::istream*, int, int) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054== by 0x6856D98: DfvInterface::DfvIfObject::getTreeGenerator(OleCompNS::AHOleCompFile::OLEDOCUMENT_TYPE, std::istream*, icu_52::UnicodeString const&, AHCommonNS::AHTempFile&) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==38054== by 0x686008A: DfvInterface::DfvIfObject::executeV4(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==38054== by 0x686196F: DfvInterface::DfvIfObject::execute(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==38054==
==38054== Invalid write of size 1
==38054== at 0xF8AFFD2: std::basic_streambuf<char, std::char_traits<char> >::xsgetn(char*, long) (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==38054== by 0xF87CC7D: std::basic_filebuf<char, std::char_traits<char> >::xsgetn(char*, long) (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==38054== by 0xF8898EA: std::istream::read(char*, long) (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==38054== by 0x5EDCBAA: OleCompNS::AHJzStreamIOobj::Read(char*, int) const (in /usr/OfficeServerDocumentConverter/lib/libDfvGraphic.so.6.1)
==38054== by 0x5ED6674: OleCompNS::AHOleCompStream::OLEread(unsigned char*, unsigned int) (in /usr/OfficeServerDocumentConverter/lib/libDfvGraphic.so.6.1)
==38054== by 0x90D9FEF: DfvCommon::MSORecParseContext::readRecordData(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvCommon.so.6.1)
==38054== by 0xA9341C7: DfvPptReaderNS::SlidePersistAtom::parse(DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054== by 0xA939924: DfvPptReaderNS::SlideStub::parseSlidePersist(DfvCommon::MSORecordHeader&, DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054== by 0xA9476D2: DfvPptReaderNS::PPTDocument::parseSlideList(DfvCommon::MSORecordHeader&, DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054== by 0xA9489BD: DfvPptReaderNS::PPTDocument::parseDocument() (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054== by 0xA948DC7: DfvPptReaderNS::PPTDocument::InitSub() (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054== by 0xA94910F: DfvPptReaderNS::PPTDocument::Init(std::istream*, icu_52::UnicodeString const&) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054== Address 0x118b93eb is 13 bytes after a block of size 110 alloc'd
==38054== at 0x4C2E80F: operator new[](unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==38054== by 0x90D9F39: DfvCommon::MSORecParseContext::allocBuffer(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvCommon.so.6.1)
==38054== by 0x90D9FD0: DfvCommon::MSORecParseContext::readRecordData(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvCommon.so.6.1)
==38054== by 0xA942E6E: DfvPptReaderNS::TxMasterStyleAtom::parse(DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054== by 0xA942DBA: DfvPptReaderNS::PPTDocument::parseEnvironment(DfvCommon::MSORecordHeader&, DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054== by 0xA9488E5: DfvPptReaderNS::PPTDocument::parseDocument() (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054== by 0xA948DC7: DfvPptReaderNS::PPTDocument::InitSub() (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054== by 0xA94910F: DfvPptReaderNS::PPTDocument::Init(std::istream*, icu_52::UnicodeString const&) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054== by 0xA91C312: DfvPptReaderNS::DfvPptReader::initDocument(std::istream*, int, int) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054== by 0x6856D98: DfvInterface::DfvIfObject::getTreeGenerator(OleCompNS::AHOleCompFile::OLEDOCUMENT_TYPE, std::istream*, icu_52::UnicodeString const&, AHCommonNS::AHTempFile&) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==38054== by 0x686008A: DfvInterface::DfvIfObject::executeV4(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==38054== by 0x686196F: DfvInterface::DfvIfObject::execute(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==38054==
--38054-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) - exiting
--38054-- si_code=128; Faulting address: 0x0; sp: 0x802cade30
valgrind: the 'impossible' happened:
Killed by fatal signal
host stacktrace:
==38054== at 0x38091C12: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==38054== by 0x38050E84: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==38054== by 0x38051056: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==38054== by 0x380D4F7B: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==38054== by 0x380E3946: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
sched status:
running_tid=1
Thread 1: status = VgTs_Runnable (lwpid 38054)
==38054== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==38054== by 0xF81E41F: __cxa_allocate_exception (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==38054== by 0xA94A19E: DfvPptReaderNS::PPTError::throwError(unsigned short, icu_52::UnicodeString const&) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054== by 0xA934206: DfvPptReaderNS::SlidePersistAtom::parse(DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054== by 0xA939924: DfvPptReaderNS::SlideStub::parseSlidePersist(DfvCommon::MSORecordHeader&, DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054== by 0xA9476D2: DfvPptReaderNS::PPTDocument::parseSlideList(DfvCommon::MSORecordHeader&, DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054== by 0xA9489BD: DfvPptReaderNS::PPTDocument::parseDocument() (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054== by 0xA948DC7: DfvPptReaderNS::PPTDocument::InitSub() (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054== by 0xA94910F: DfvPptReaderNS::PPTDocument::Init(std::istream*, icu_52::UnicodeString const&) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054== by 0xA91C312: DfvPptReaderNS::DfvPptReader::initDocument(std::istream*, int, int) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054== by 0x6856D98: DfvInterface::DfvIfObject::getTreeGenerator(OleCompNS::AHOleCompFile::OLEDOCUMENT_TYPE, std::istream*, icu_52::UnicodeString const&, AHCommonNS::AHTempFile&) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==38054== by 0x686008A: DfvInterface::DfvIfObject::executeV4(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==38054== by 0x686196F: DfvInterface::DfvIfObject::execute(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==38054== by 0x68620BB: DfvInterface::DfvIfObject::execute(bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==38054== by 0x40DBF4: XfoCommand::XSLCmd::execCommand() (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==38054== by 0x408F83: main (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
Timeline
2018-05-21 - Vendor Disclosure
2018-07-10 - Public Release
Discovered by Marcin ‘Icewall’ Noga of Cisco Talos.