Headline
CVE-2018-3845: TALOS-2018-0528 || Cisco Talos Intelligence Group
In Hyland Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux, a crafted OpenDocument document can lead to a SkCanvas object double free resulting in direct code execution.
Summary
An exploitable double free exists in the OpenDocument to JPEG conversion functionality of the Hyland Perspective Document Filters version 11.4.0.2647. A crafted OpenDocument document can lead to a SkCanvas object double free resulting in direct code execution.
Tested Versions
Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux
Product URLs
https://www.hyland.com/en/perceptive#docfilters
CVSSv3 Score
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE
CWE-415: Double Free
Details
This vulnerability is present in the Hyland Document filter conversion which is used for big data, eDiscovery, DLP, email archival, content management, business intelligence and intelligent capture services. It can convert common formats such as Microsoft's document formats into more usable and easily viewed formats. There is a vulnerability in the conversion process of an OpenDocument document to JPEG. A specially crafted OpenDocument file can lead to a SkCanvas object double free and remote code execution. Let’s investigate this vulnerability. After we attempt to convert a malicious OpenDocument using the Hyland library we see the following state:
//page heap is turned on +hpa
windbg.exe isys_doc2text.exe --jpg malicious_opendocument
(4c0.1e70): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00f5e788 ebx=00000000 ecx=10f06f00 edx=02000000 esi=1056ef98 edi=10570ff0
eip=6235cfd1 esp=00f5e770 ebp=00f5e794 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206
ISYSreadershd!IGR_ImageExport+0xe7f71:
6235cfd1 8b01 mov eax,dword ptr [ecx] ds:002b:10f06f00=????????
Showing more context
0:000> u eip-5
ISYSreadershd!IGR_ImageExport+0xe7f6c:
6235cfcc 0c85 or al,85h
6235cfce c9 leave
6235cfcf 7406 je ISYSreadershd!IGR_ImageExport+0xe7f77 (6235cfd7)
6235cfd1 8b01 mov eax,dword ptr [ecx]
6235cfd3 6a01 push 1
6235cfd5 ff10 call dword ptr [eax]
6235cfd7 8b7e08 mov edi,dword ptr [esi+8]
6235cfda 85ff test edi,edi
We see an obvious attempt of a virtual function call on a previously freed object. Further examination confirms our assumptions:
0:000> !heap -p -a ecx
address 10f06f00 found in
_DPH_HEAP_ROOT @ 78f1000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
12da9af8: 10f06000 2000
6329ab22 verifier!AVrfDebugPageHeapFree+0x000000c2
77045918 ntdll!RtlDebugFreeHeap+0x0000003c
76ff5be1 ntdll!RtlpFreeHeap+0x00056161
76f9fa0d ntdll!RtlFreeHeap+0x000007cd
62676591 ISYSreadershd!IGR_ImageExport+0x00401531
62640792 ISYSreadershd!IGR_ImageExport+0x003cb732
623d973c ISYSreadershd!IGR_ImageExport+0x001646dc
61e0eb4c ISYSreadershd+0x0003eb4c
622a628e ISYSreadershd!IGR_ImageExport+0x0003122e
622a5ed3 ISYSreadershd!IGR_ImageExport+0x00030e73
6233d6c4 ISYSreadershd!IGR_ImageExport+0x000c8664
622ac13f ISYSreadershd!IGR_ImageExport+0x000370df
622ac3c0 ISYSreadershd!IGR_ImageExport+0x00037360
622acb3b ISYSreadershd!IGR_ImageExport+0x00037adb
622abe79 ISYSreadershd!IGR_ImageExport+0x00036e19
622673e4 ISYSreadershd!ISYS_GetHeapHandle+0x000ea7e4
62d441fa isysreaders+0x001d41fa
631cef8f ISYS11df!IGR_Render_Page+0x0000005f
0037a2c8 isys_doc2text+0x0002a2c8
003771fb isys_doc2text+0x000271fb
0037612f isys_doc2text+0x0002612f
003a4c52 isys_doc2text+0x00054c52
003a2cc5 isys_doc2text+0x00052cc5
0037cf76 isys_doc2text+0x0002cf76
00457f44 isys_doc2text+0x00107f44
751c8654 KERNEL32!BaseThreadInitThunk+0x00000024
76fc4a77 ntdll!__RtlUserThreadStart+0x0000002f
76fc4a47 ntdll!_RtlUserThreadStart+0x0000001b
Checking the Linux version we can obtain a bit more information from partial-symbols :
image base :
0xf4a9b000 0xf54c5000 r-xp /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so
[----------------------------------registers-----------------------------------]
EAX: 0xf5c45968 --> 0xf5c45960 --> 0xf5c45958 --> 0x8a0f000 --> 0x0
EBX: 0xf54dff0c --> 0xa42fcc
ECX: 0x8a17e1c --> 0x0
EDX: 0x8a17c08 --> 0xf5c45968 --> 0xf5c45960 --> 0xf5c45958 --> 0x8a0f000 --> 0x0
ESI: 0x8a17e18 --> 0xf54da798 --> 0xf51e89d0 --> 0x83e58955
EDI: 0x8a16300 --> 0xf54da780 --> 0xf51f0770 --> 0x57e58955
EBP: 0xffa1e4a8 --> 0xffa1e4c8 --> 0xffa1e4e8 --> 0xffa1e508 --> 0xffa1e528 --> 0xffa1e578 (--> ...)
ESP: 0xffa1e480 --> 0x8a17c08 --> 0xf5c45968 --> 0xf5c45960 --> 0xf5c45958 --> 0x8a0f000 (--> ...)
EIP: 0xf51f06c0 --> 0x830450ff
EFLAGS: 0x296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0xf51f06ba: sub esp,0xc
0xf51f06bd: mov eax,DWORD PTR [edx]
0xf51f06bf: push edx
=> 0xf51f06c0: call DWORD PTR [eax+0x4]
0xf51f06c3: add esp,0x10
0xf51f06c6: mov esi,DWORD PTR [edi+0x4]
0xf51f06c9: test esi,esi
0xf51f06cb: je 0xf51f06e1
Guessed arguments:
arg[0]: 0x8a17c08 --> 0xf5c45968 --> 0xf5c45960 --> 0xf5c45958 --> 0x8a0f000 --> 0x0
//Double Free call stack
#0 0xf51f06bf in ISYS_NS::CGdiCanvasImpl::~CGdiCanvasImpl () from ./libISYSreadershd.so
#1 0xf51e89e9 in ?? () from ./libISYSreadershd.so
#2 0xf4b4b028 in ?? () from ./libISYSreadershd.so
#3 0xf51d9b1f in ISYS_NS::CGdiCanvas::~CGdiCanvas() () from ./libISYSreadershd.so
#4 0xf51e8829 in ?? () from ./libISYSreadershd.so
#5 0xf51f01e8 in ISYS_NS::CGdiBitmapImpl::~CGdiBitmapImpl() () from ./libISYSreadershd.so
#6 0xf51e88e9 in ?? () from ./libISYSreadershd.so
#7 0xf51db388 in ?? ISYS_NS::CGdiBitmap::~CGdiBitmap() from ./libISYSreadershd.so
#8 0xf5227233 in ?? () from ./libISYSreadershd.so
#9 0xf50b3221 in ?? () from ./libISYSreadershd.so
#10 0xf522172d in ?? () from ./libISYSreadershd.so
#11 0xf51a621f in ?? () from ./libISYSreadershd.so
#12 0xf518a8bd in ?? () from ./libISYSreadershd.so
#13 0xf591c6c3 in ?? () from ./libISYSreaders.so
#14 0xf7ef4c28 in IGR_Close_Canvas () from ./libISYS11df.so
#15 0x0805bda0 in ?? ()
#16 0x08061690 in ?? ()
#17 0x08068c27 in main_doc2text(ISYS_NS::CISYScommander::CResult*, void*) ()
#18 0xf613173d in ISYS_NS::CISYScommander::CTool::execute(ISYS_NS::CISYScommander::CResult*) const () from ./libISYSshared.so
#19 0xf613dff9 in bool ISYS_NS::CISYScommander::execute<char>(int, char**) () from ./libISYSshared.so
#20 0xf613a524 in ISYS_NS::CISYScommander::execute(int, char**) () from ./libISYSshared.so
#21 0x08054e88 in ?? ()
#22 0xf5aab637 in __libc_start_main (main=0x8054d40, argc=0x5, argv=0xffa201e4, init=0x807ebd0, fini=0x807ebc0, rtld_fini=0xf7f3d880 <_dl_fini>, stack_end=0xffa201dc) at ../csu/libc-start.c:291
#23 0x080531b1 in ?? ()
Tracking this object’s life cycle we can see its creation inside ISYS_NS::CGdiCanvasImpl::CGdiCanvasImpl method:
Object allocation call stack
#0 0xf51f0977 in ISYS_NS::CGdiCanvasImpl () from ./libISYSreadershd.so
#1 0xf51e65d0 in ?? () from ./libISYSreadershd.so
#2 0xf5229bf4 in ?? () from ./libISYSreadershd.so
#3 0xf50b9f46 in ?? () from ./libISYSreadershd.so
#4 0xf50b3539 in ?? () from ./libISYSreadershd.so
#5 0xf5196e5d in ?? () from ./libISYSreadershd.so
#6 0xf591c595 in ?? () from ./libISYSreaders.so
#7 0xf7ef4bda in IGR_Render_Page () from ./libISYS11df.so
#8 0x0805bbd8 in ?? ()
#9 0x08061690 in ?? ()
#10 0x08068c27 in main_doc2text(ISYS_NS::CISYScommander::CResult*, void*) ()
#11 0xf613173d in ISYS_NS::CISYScommander::CTool::execute(ISYS_NS::CISYScommander::CResult*) const () from ./libISYSshared.so
#12 0xf613dff9 in bool ISYS_NS::CISYScommander::execute<char>(int, char**) () from ./libISYSshared.so
#13 0xf613a524 in ISYS_NS::CISYScommander::execute(int, char**) () from ./libISYSshared.so
#14 0x08054e88 in ?? ()
#15 0xf5aab637 in __libc_start_main (main=0x8054d40, argc=0x5, argv=0xffa201e4, init=0x807ebd0, fini=0x807ebc0, rtld_fini=0xf7f3d880 <_dl_fini>, stack_end=0xffa201dc) at ../csu/libc-start.c:291
#16 0x080531b1 in ?? ()
.text:F51F095C push 0FCh ; unsigned int
.text:F51F0961 call operator new(uint)
.text:F51F0966 mov esi, eax
.text:F51F0968 pop ecx
.text:F51F0969 pop eax
.text:F51F096A push edi ; SkBitmap *
.text:F51F096B push esi ; this
.text:F51F096C call SkCanvas::SkCanvas(SkBitmap const&)
.text:F51F0971 add esp, 10h
.text:F51F0974 mov edx, [ebp+arg_0]
.text:F51F0977 mov [edx+8], esi
Further inside the sub_F511F5F0 function we can observe a call at address F511FCE3 to SkCanvas::~SkCanvas virtual destructor which deallocates the vulnerable object:
sub_F511F5F0
(...)
.text:F511FCD7 sub esp, 0Ch
.text:F511FCDA mov edx, [ebp+var_164]
.text:F511FCE0 mov eax, [edx]
.text:F511FCE2 push edx
.text:F511FCE3 call dword ptr [eax+4] ; SkCanvas::~SkCanvas
.text:F511FCE6 add esp, 10h
Call stack for dealocation
#0 0xf46f6bed in SkCanvas::~SkCanvas() () from ./libISYSgraphics.so
#1 0xf511fce6 in ?? () from ./libISYSreadershd.so
#2 0xf5083569 in ?? () from ./libISYSreadershd.so
#3 0xf50832e4 in ?? () from ./libISYSreadershd.so
#4 0xf508331d in ?? () from ./libISYSreadershd.so
#5 0xf50833bb in ?? () from ./libISYSreadershd.so
#6 0xf5224987 in ?? () from ./libISYSreadershd.so
#7 0xf50b4af7 in ?? () from ./libISYSreadershd.so
#8 0xf50b4cdd in ?? () from ./libISYSreadershd.so
#9 0xf50ba2d1 in ?? () from ./libISYSreadershd.so
#10 0xf50b3539 in ?? () from ./libISYSreadershd.so
#11 0xf5196e5d in ?? () from ./libISYSreadershd.so
#12 0xf591c595 in ?? () from ./libISYSreaders.so
#13 0xf7ef4bda in IGR_Render_Page () from ./libISYS11df.so
#14 0x0805bbd8 in ?? ()
#15 0x08061690 in ?? ()
#16 0x08068c27 in main_doc2text(ISYS_NS::CISYScommander::CResult*, void*) ()
#17 0xf613173d in ISYS_NS::CISYScommander::CTool::execute(ISYS_NS::CISYScommander::CResult*) const () from ./libISYSshared.so
#18 0xf613dff9 in bool ISYS_NS::CISYScommander::execute<char>(int, char**) () from ./libISYSshared.so
#19 0xf613a524 in ISYS_NS::CISYScommander::execute(int, char**) () from ./libISYSshared.so
#20 0x08054e88 in ?? ()
#21 0xf5aab637 in __libc_start_main (main=0x8054d40, argc=0x5, argv=0xffa201e4, init=0x807ebd0, fini=0x807ebc0, rtld_fini=0xf7f3d880 <_dl_fini>, stack_end=0xffa201dc) at ../csu/libc-start.c:291
#22 0x080531b1 in ?? ()
Next, during destruction of ISYS_NS::CGdiCanvasImpl::~CGdiCanvasImpl object a call to SkCanvas::~SkCanvas virtual destructor is made again:
.text:F51F0690 ISYS_NS::CGdiCanvasImpl::~CGdiCanvasImpl() proc near
.text:F51F0690
(...)
.text:F51F06BA sub esp, 0Ch
.text:F51F06BD mov eax, [edx]
.text:F51F06BF push edx
.text:F51F06C0 call dword ptr [eax+4] ; SkCanvas::~SkCanvas()
.text:F51F06C3 add esp, 10h
Call stack for second free
#0 0xf51f06c0 in ?? () from ./libISYSreadershd.so
#1 0xf51e89e9 in ?? () from ./libISYSreadershd.so
#2 0xf4b4b028 in ?? () from ./libISYSreadershd.so
#3 0xf51d9b1f in ?? () from ./libISYSreadershd.so
#4 0xf51e8829 in ?? () from ./libISYSreadershd.so
#5 0xf51f01e8 in ?? () from ./libISYSreadershd.so
#6 0xf51e88e9 in ?? () from ./libISYSreadershd.so
#7 0xf51db388 in ?? () from ./libISYSreadershd.so
#8 0xf5227233 in ?? () from ./libISYSreadershd.so
#9 0xf50b3221 in ?? () from ./libISYSreadershd.so
#10 0xf522172d in ?? () from ./libISYSreadershd.so
#11 0xf51a621f in ?? () from ./libISYSreadershd.so
#12 0xf518a8bd in ?? () from ./libISYSreadershd.so
#13 0xf591c6c3 in ?? () from ./libISYSreaders.so
#14 0xf7ef4c28 in IGR_Close_Canvas () from ./libISYS11df.so
#15 0x0805bda0 in ?? ()
#16 0x08061690 in ?? ()
#17 0x08068c27 in main_doc2text(ISYS_NS::CISYScommander::CResult*, void*) ()
#18 0xf613173d in ISYS_NS::CISYScommander::CTool::execute(ISYS_NS::CISYScommander::CResult*) const () from ./libISYSshared.so
#19 0xf613dff9 in bool ISYS_NS::CISYScommander::execute<char>(int, char**) () from ./libISYSshared.so
#20 0xf613a524 in ISYS_NS::CISYScommander::execute(int, char**) () from ./libISYSshared.so
#21 0x08054e88 in ?? ()
#22 0xf5aab637 in __libc_start_main (main=0x8054d40, argc=0x5, argv=0xffa201e4, init=0x807ebd0, fini=0x807ebc0, rtld_fini=0xf7f3d880 <_dl_fini>, stack_end=0xffa201dc) at ../csu/libc-start.c:291
#23 0x080531b1 in ?? ()
resulting in the double free of SkCanvas object. An attacker who properly manipulates the heap state between the object’s first deallocation and its second deallocation can easily turn this double free vulnerability into arbitrary code execution.
Crash Information
==6702== Command: ./isys_doc2text --jpg -o /tmp ./storage/7afffeb388f9aebf11226b95328be2f7
==6702==
[1] File type: Open Document Format (76); Capabilities: 7 - ./storage/7afffeb388f9aebf11226b95328be2f7
[00000000] IGR_RENDER_PAGE failed on ./storage/7afffeb388f9aebf11226b95328be2f7 with code 4 [Could not read ZIP file entry]
==6702== Invalid read of size 4
==6702== at 0x78956BD: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x788D9E8: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x71F0027: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x787EB1E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x788D828: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x78951E7: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x788D8E8: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x7880387: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x78CC232: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x7758220: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x78C672C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x784B21E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== Address 0x6c69890 is 0 bytes inside a block of size 252 free'd
==6702== at 0x402D7B8: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==6702== by 0x8D49BF4: SkCanvas::~SkCanvas() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSgraphics.so)
==6702== by 0x77C4CE5: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x7728568: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x77282E3: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x772831C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x77283BA: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x78C9986: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x7759AF6: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x7759CDC: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x775F2D0: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x7758538: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== Block was alloc'd at
==6702== at 0x402C6BC: operator new(unsigned int) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==6702== by 0x7895965: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x788B5CF: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x78CEBF3: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x775EF45: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x7758538: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x783BE5C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x67BE594: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreaders.so)
==6702== by 0x403CBD9: IGR_Render_Page (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYS11df.so)
==6702== by 0x805BBD7: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text)
==6702== by 0x806168F: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text)
==6702== by 0x8068C26: main_doc2text(ISYS_NS::CISYScommander::CResult*, void*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text)
==6702==
==6702== Invalid write of size 4
==6702== at 0x8D2A02F: SkRefCntBase::~SkRefCntBase() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSgraphics.so)
==6702== by 0x78956C2: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x788D9E8: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x71F0027: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x787EB1E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x788D828: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x78951E7: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x788D8E8: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x7880387: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x78CC232: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x7758220: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x78C672C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== Address 0x6c69890 is 0 bytes inside a block of size 252 free'd
==6702== at 0x402D7B8: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==6702== by 0x8D49BF4: SkCanvas::~SkCanvas() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSgraphics.so)
==6702== by 0x77C4CE5: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x7728568: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x77282E3: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x772831C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x77283BA: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x78C9986: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x7759AF6: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x7759CDC: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x775F2D0: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x7758538: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== Block was alloc'd at
==6702== at 0x402C6BC: operator new(unsigned int) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==6702== by 0x7895965: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x788B5CF: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x78CEBF3: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x775EF45: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x7758538: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x783BE5C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x67BE594: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreaders.so)
==6702== by 0x403CBD9: IGR_Render_Page (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYS11df.so)
==6702== by 0x805BBD7: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text)
==6702== by 0x806168F: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text)
==6702== by 0x8068C26: main_doc2text(ISYS_NS::CISYScommander::CResult*, void*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text)
==6702==
==6702== Invalid free() / delete / delete[] / realloc()
==6702== at 0x402D7B8: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==6702== by 0x8D2A036: SkRefCntBase::~SkRefCntBase() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSgraphics.so)
==6702== by 0x78956C2: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x788D9E8: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x71F0027: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x787EB1E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x788D828: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x78951E7: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x788D8E8: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x7880387: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x78CC232: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x7758220: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== Address 0x6c69890 is 0 bytes inside a block of size 252 free'd
==6702== at 0x402D7B8: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==6702== by 0x8D49BF4: SkCanvas::~SkCanvas() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSgraphics.so)
==6702== by 0x77C4CE5: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x7728568: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x77282E3: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x772831C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x77283BA: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x78C9986: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x7759AF6: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x7759CDC: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x775F2D0: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x7758538: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== Block was alloc'd at
==6702== at 0x402C6BC: operator new(unsigned int) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==6702== by 0x7895965: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x788B5CF: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x78CEBF3: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x775EF45: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x7758538: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x783BE5C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702== by 0x67BE594: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreaders.so)
==6702== by 0x403CBD9: IGR_Render_Page (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYS11df.so)
==6702== by 0x805BBD7: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text)
==6702== by 0x806168F: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text)
==6702== by 0x8068C26: main_doc2text(ISYS_NS::CISYScommander::CResult*, void*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text)
==6702==
[1] Returned 3 page(s)
==6702==
==6702== HEAP SUMMARY:
==6702== in use at exit: 21,065 bytes in 12 blocks
==6702== total heap usage: 64,861 allocs, 64,850 frees, 42,305,231 bytes allocated
==6702==
==6702== LEAK SUMMARY:
==6702== definitely lost: 0 bytes in 0 blocks
==6702== indirectly lost: 0 bytes in 0 blocks
==6702== possibly lost: 0 bytes in 0 blocks
==6702== still reachable: 21,065 bytes in 12 blocks
==6702== suppressed: 0 bytes in 0 blocks
==6702== Rerun with --leak-check=full to see details of leaked memory
==6702==
==6702== For counts of detected and suppressed errors, rerun with: -v
==6702== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)
Timeline
2018-02-22 - Vendor Disclosure
2018-03-22 - Vendor patched
2018-04-26 - Public Release
Discovered by Marcin ‘Icewall’ Noga of Cisco Talos.