Headline
CVE-2018-3930: TALOS-2018-0597 || Cisco Talos Intelligence Group
In Antenna House Office Server Document Converter version V6.1 Pro MR2 for Linux64 (6,1,2018,0312), a crafted Microsoft Word (DOC) document can lead to an out-of-bounds write, resulting in remote code execution. This vulnerability occurs in the vbgetfp
method.
Summary
An exploitable out-of-bounds write exists in the Microsoft Word document conversion functionality of the Antenna House Office Server Document Converter version V6.1 Pro MR2 for Linux64 (6,1,2018,0312). A crafted Microsoft Word (DOC) document can lead to an out-of-bounds write, resulting in remote code execution. This vulnerability occurs in the vbgetfp method.
Tested Versions
Office Server Document Converter version V6.1 Pro MR2 for Linux64 (6,1,2018,0312)
Product URLs
https://www.rainbowpdf.com/batch-office-server-document-converter/
CVSSv3 Score
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE
CWE-787: Out-of-bounds Write
Details
This vulnerability is present in the Antenna House Office Server Document Converter which is used as a document converter in many server enterprise solutions.
It can convert common formats such as Microsoft’s document formats into more usable and easily viewed formats. There is a vulnerability in the conversion process of a Microsoft Word (DOC) to PDF, JPEG and several other formats. A specially crafted Microsoft Word (DOC) file can lead to heap corruption and remote code execution. Let’s investigate this vulnerability. After we attempt to convert a malicious Microsoft Word (doc) using the OSDC library, we see the following state:
icewall@ubuntu:/usr/OfficeServerDocumentConverter$ valgrind bin/SBCCmd -p @PDF -o /tmp/test.pdf -d ./crashes/009be5a68df722560f16f9c86b73696b
==51370== Memcheck, a memory error detector
==51370== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==51370== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==51370== Command: bin/SBCCmd -p @PDF -o /tmp/test.pdf -d ./crashes/009be5a68df722560f16f9c86b73696b
==51370==
SBCCmd : Office Server Document Converter V6.1 Pro MR2 for Linux64 (6,1,2018,0312)
Copyright (c) 1999-2018 Antenna House, Inc.
---------------------------------------
This is an EVALUATION version.
Prohibits the use of evaluation version
for the real business activity.
Expire Date : Jun 06, 2018
---------------------------------------
==51370== Invalid write of size 8
==51370== at 0xB4D3651: DfvDocReaderNS::DfvDocReader::vbgetfp(OleCompNS::AHOleCompStream*, int, int, unsigned short&, int&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB4F90AF: DfvDocReaderNS::DfvDocReader::getbt(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, DfvDocReaderNS::SubSectParam&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB5065D0: DfvDocReaderNS::DfvDocReader::wordtowml(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB506AF7: DfvDocReaderNS::DfvDocReader::convertCore(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB506BD5: DfvDocReaderNS::DfvDocReader::convert(std::istream*, icu_52::UnicodeString const&, int, bool, bool, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0x6856B10: DfvInterface::DfvIfObject::getTreeGenerator(OleCompNS::AHOleCompFile::OLEDOCUMENT_TYPE, std::istream*, icu_52::UnicodeString const&, AHCommonNS::AHTempFile&) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x686008A: DfvInterface::DfvIfObject::executeV4(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x686196F: DfvInterface::DfvIfObject::execute(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x68620BB: DfvInterface::DfvIfObject::execute(bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x40DBF4: XfoCommand::XSLCmd::execCommand() (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370== by 0x408F83: main (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370== Address 0x12588a80 is 0 bytes after a block of size 512 alloc'd
==51370== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==51370== by 0xB4D3338: DfvDocReaderNS::DfvDocReader::vbgetfp(OleCompNS::AHOleCompStream*, int, int, unsigned short&, int&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB4F90AF: DfvDocReaderNS::DfvDocReader::getbt(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, DfvDocReaderNS::SubSectParam&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB5065D0: DfvDocReaderNS::DfvDocReader::wordtowml(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB506AF7: DfvDocReaderNS::DfvDocReader::convertCore(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB506BD5: DfvDocReaderNS::DfvDocReader::convert(std::istream*, icu_52::UnicodeString const&, int, bool, bool, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0x6856B10: DfvInterface::DfvIfObject::getTreeGenerator(OleCompNS::AHOleCompFile::OLEDOCUMENT_TYPE, std::istream*, icu_52::UnicodeString const&, AHCommonNS::AHTempFile&) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x686008A: DfvInterface::DfvIfObject::executeV4(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x686196F: DfvInterface::DfvIfObject::execute(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x68620BB: DfvInterface::DfvIfObject::execute(bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x40DBF4: XfoCommand::XSLCmd::execCommand() (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370== by 0x408F83: main (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
As we can see, an out-of-bounds write appeared during some memory operations inside the vbgetfp method.
Looking at the call stack, we can see that the out-of-bounds write appears in the same function that the overflowed buffer is allocated in. Let’s take a look at pseudo code for the vbgetfp function:
Line 1 __int64 __fastcall DfvDocReaderNS::DfvDocReader::vbgetfp(DfvDocReaderNS::DfvDocReader *this, OleCompNS::AHOleCompStream *AHOleCompStream, int page_index, int a4, unsigned __int16 *a5, int *a6)
Line 2 {
Line 3
Line 4 buffer = (unsigned __int8 *)malloc(0x200uLL);
Line 5 if ( buffer )
Line 6 {
Line 7 dstBuffer = (int *)malloc(0x200uLL);
Line 8 if ( dstBuffer )
Line 9 {
Line 10 if ( v8 == 1 )
Line 11 page_offset = DfvDocReaderNS::FKPPAGE::getPage(
Line 12 (DfvDocReaderNS::DfvDocReader *)((char *)this + 688),
Line 13 _page_index);
Line 14 else
Line 15 page_offset = DfvDocReaderNS::FKPPAGE::getPage(
Line 16 (DfvDocReaderNS::DfvDocReader *)((char *)this + 736),
Line 17 _page_index);
Line 18 if ( OleCompNS::AHOleCompStream::OLEseek( AHOleCompStream, (unsigned int)(page_offset << 9), 0LL) < 0 )
(...)
Line 24 v117 = OleCompNS::AHOleCompStream::OLEtell(AHOleCompStream);//
Line 25 v13 = *(_QWORD *)AHOleCompStream;
Line 26 v121.m128i_i64[0] = (__int64)&v123;
Line 27 OleCompNS::AHOleCompStream::OLEread( AHOleCompStream, &v123, 512LL);
(...)
Line 31 qmemcpy(buffer, &v123, 0x200uLL);
Line 32 amountToCopy = buffer[511];
Line 33 v15 = amountToCopy + 1;
Line 34 v16 = 16 * (amountToCopy >> 4);
Line 35 if ( v16 && v15 > 0xF )
Line 36 {
Line 37 _buffer = (const __m128i *)(buffer + 1);
Line 38 _dstBuffer = dstBuffer;
Line 39 index = 0;
Line 40 do
Line 41 {
Line 42 v20 = _mm_loadu_si128(_buffer);
Line 43 ++index;
Line 44 _buffer += 4;
Line 45 _dstBuffer += 16;
Line 46 v21 = _mm_loadu_si128(_buffer - 3);
Line 47 v22 = _mm_loadu_si128(_buffer - 2);
Line 48 v23 = _mm_unpackhi_epi8(v20, v21);
Line 49 v24 = _mm_unpacklo_epi8(v20, v21);
Line 50 v25 = _mm_loadu_si128(_buffer - 1);
Line 51 v26 = _mm_unpackhi_epi8(v22, v25);
Line 52 v27 = v24;
Line 53 v28 = _mm_unpacklo_epi8(v22, v25);
Line 54 v29 = _mm_unpacklo_epi8(v24, v23);
Line 55 v30 = _mm_unpackhi_epi8(v27, v23);
Line 56 (...)
Line 57 _mm_storeu_si128(
Line 58 (__m128i *)_dstBuffer - 4,
Line 59 _mm_or_si128(
Line 60 _mm_or_si128(
Line 61 _mm_or_si128(
Line 62 _mm_slli_epi32(_mm_unpacklo_epi16(v68, (__m128i)0LL), 8u),
Line 63 _mm_slli_epi32(_mm_unpacklo_epi16(v61, (__m128i)0LL), 0x10u)),
Line 64 _mm_unpacklo_epi16(v90, (__m128i)0LL)),
Line 65 _mm_slli_epi32(_mm_unpacklo_epi16(v75, (__m128i)0LL), 0x18u)));
Line 66 _mm_storeu_si128(
Line 67 (__m128i *)_dstBuffer - 3,
Line 68 _mm_or_si128(
Line 69 _mm_or_si128(
Line 70 _mm_or_si128(
Line 71 _mm_slli_epi32(_mm_unpackhi_epi16(v68, (__m128i)0LL), 8u),
Line 72 _mm_slli_epi32(_mm_unpackhi_epi16(v61, (__m128i)0LL), 0x10u)),
Line 73 _mm_unpackhi_epi16(v90, (__m128i)0LL)),
Line 74 _mm_slli_epi32(_mm_unpackhi_epi16(v75, (__m128i)0LL), 0x18u)));
Line 75 _mm_storeu_si128(
Line 76 (__m128i *)_dstBuffer - 1,
Line 77 _mm_or_si128(
Line 78 _mm_or_si128(
Line 79 _mm_or_si128(
Line 80 _mm_slli_epi32(_mm_unpackhi_epi16(v72, (__m128i)0LL), 8u),
Line 81 _mm_slli_epi32(_mm_unpackhi_epi16(v76, (__m128i)0LL), 0x10u)),
Line 82 _mm_unpackhi_epi16(v89, (__m128i)0LL)),
Line 83 _mm_slli_epi32(_mm_unpackhi_epi16(v79, (__m128i)0LL), 0x18u)));
Line 84 _mm_storeu_si128(
Line 85 (__m128i *)_dstBuffer - 2,
Line 86 _mm_or_si128(
Line 87 _mm_or_si128(
Line 88 _mm_or_si128(
Line 89 _mm_slli_epi32(_mm_unpacklo_epi16(v72, (__m128i)0LL), 8u),
Line 90 _mm_slli_epi32(_mm_unpacklo_epi16(v76, (__m128i)0LL), 0x10u)),
Line 91 _mm_unpacklo_epi16(v89, (__m128i)0LL)),
Line 92 _mm_slli_epi32(_mm_unpacklo_epi16(v79, (__m128i)0LL), 0x18u)));
Line 93 }
Line 94 while ( amountToCopy >> 4 > index );
Line 95 (...)
Line 96 v109 = 4 * v16;
Line 97 v110 = (signed __int64)&buffer[4 * v16 + 3];
Line 98 do
Line 99 {
Line 100 v111 = *(unsigned __int8 *)(v110 - 2);
Line 101 v112 = *(unsigned __int8 *)(v110 - 1);
Line 102 v113 = v16++;
Line 103 v110 += 4LL;
Line 104 v114 = (v112 << 16) | (v111 << 8);
Line 105 v115 = v109;
Line 106 v109 += 4;
Line 107 dstBuffer[v113] = (*(unsigned __int8 *)(v110 - 4) << 24) | buffer[v115] | v114;
Line 108 }
Line 109 while ( (signed int)amountToCopy >= v16 );
Line 110 goto LABEL_14;
Line 111 }
Line 112 return 0;
Line 113 }
As we can see, the code above allocates two buffers:
line 4 buffer
line 7 dstBuffer
with constant size 512 bytes (0x200). Next, 512 bytes are ready directly from the file and copied into buffer at lines 27 and 31. The last byte (line 21) is used as a limit for the amount of iterations for a loop where the data from a buffer is copied to dstBuffer buffer. During each iteration, 64 (0x40) bytes are copied. There is no check whether value of amountToCopy»4 is bigger than 0x200 / 0x40 = 8 . For all values of amountToCopy in the range of 144-255, an out-of-bounds write will occur, causing memory corruption. As a result, the attacker has the possibility to corrupt memory, potentially resulting in arbitrary remote code execution.
Crash Information
==51370== Invalid read of size 16
==51370== at 0xB4D356E: DfvDocReaderNS::DfvDocReader::vbgetfp(OleCompNS::AHOleCompStream*, int, int, unsigned short&, int&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB4F90AF: DfvDocReaderNS::DfvDocReader::getbt(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, DfvDocReaderNS::SubSectParam&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB5065D0: DfvDocReaderNS::DfvDocReader::wordtowml(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB506AF7: DfvDocReaderNS::DfvDocReader::convertCore(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB506BD5: DfvDocReaderNS::DfvDocReader::convert(std::istream*, icu_52::UnicodeString const&, int, bool, bool, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0x6856B10: DfvInterface::DfvIfObject::getTreeGenerator(OleCompNS::AHOleCompFile::OLEDOCUMENT_TYPE, std::istream*, icu_52::UnicodeString const&, AHCommonNS::AHTempFile&) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x686008A: DfvInterface::DfvIfObject::executeV4(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x686196F: DfvInterface::DfvIfObject::execute(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x68620BB: DfvInterface::DfvIfObject::execute(bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x40DBF4: XfoCommand::XSLCmd::execCommand() (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370== by 0x408F83: main (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370== Address 0x12588870 is 16 bytes before a block of size 512 alloc'd
==51370== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==51370== by 0xB4D3338: DfvDocReaderNS::DfvDocReader::vbgetfp(OleCompNS::AHOleCompStream*, int, int, unsigned short&, int&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB4F90AF: DfvDocReaderNS::DfvDocReader::getbt(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, DfvDocReaderNS::SubSectParam&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB5065D0: DfvDocReaderNS::DfvDocReader::wordtowml(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB506AF7: DfvDocReaderNS::DfvDocReader::convertCore(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB506BD5: DfvDocReaderNS::DfvDocReader::convert(std::istream*, icu_52::UnicodeString const&, int, bool, bool, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0x6856B10: DfvInterface::DfvIfObject::getTreeGenerator(OleCompNS::AHOleCompFile::OLEDOCUMENT_TYPE, std::istream*, icu_52::UnicodeString const&, AHCommonNS::AHTempFile&) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x686008A: DfvInterface::DfvIfObject::executeV4(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x686196F: DfvInterface::DfvIfObject::execute(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x68620BB: DfvInterface::DfvIfObject::execute(bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x40DBF4: XfoCommand::XSLCmd::execCommand() (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370== by 0x408F83: main (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370==
==51370== Invalid write of size 8
==51370== at 0xB4D3651: DfvDocReaderNS::DfvDocReader::vbgetfp(OleCompNS::AHOleCompStream*, int, int, unsigned short&, int&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB4F90AF: DfvDocReaderNS::DfvDocReader::getbt(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, DfvDocReaderNS::SubSectParam&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB5065D0: DfvDocReaderNS::DfvDocReader::wordtowml(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB506AF7: DfvDocReaderNS::DfvDocReader::convertCore(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB506BD5: DfvDocReaderNS::DfvDocReader::convert(std::istream*, icu_52::UnicodeString const&, int, bool, bool, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0x6856B10: DfvInterface::DfvIfObject::getTreeGenerator(OleCompNS::AHOleCompFile::OLEDOCUMENT_TYPE, std::istream*, icu_52::UnicodeString const&, AHCommonNS::AHTempFile&) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x686008A: DfvInterface::DfvIfObject::executeV4(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x686196F: DfvInterface::DfvIfObject::execute(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x68620BB: DfvInterface::DfvIfObject::execute(bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x40DBF4: XfoCommand::XSLCmd::execCommand() (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370== by 0x408F83: main (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370== Address 0x12588a80 is 0 bytes after a block of size 512 alloc'd
==51370== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==51370== by 0xB4D3338: DfvDocReaderNS::DfvDocReader::vbgetfp(OleCompNS::AHOleCompStream*, int, int, unsigned short&, int&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB4F90AF: DfvDocReaderNS::DfvDocReader::getbt(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, DfvDocReaderNS::SubSectParam&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB5065D0: DfvDocReaderNS::DfvDocReader::wordtowml(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB506AF7: DfvDocReaderNS::DfvDocReader::convertCore(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB506BD5: DfvDocReaderNS::DfvDocReader::convert(std::istream*, icu_52::UnicodeString const&, int, bool, bool, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0x6856B10: DfvInterface::DfvIfObject::getTreeGenerator(OleCompNS::AHOleCompFile::OLEDOCUMENT_TYPE, std::istream*, icu_52::UnicodeString const&, AHCommonNS::AHTempFile&) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x686008A: DfvInterface::DfvIfObject::executeV4(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x686196F: DfvInterface::DfvIfObject::execute(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x68620BB: DfvInterface::DfvIfObject::execute(bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x40DBF4: XfoCommand::XSLCmd::execCommand() (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370== by 0x408F83: main (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370==
==51370== Invalid write of size 8
==51370== at 0xB4D367A: DfvDocReaderNS::DfvDocReader::vbgetfp(OleCompNS::AHOleCompStream*, int, int, unsigned short&, int&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB4F90AF: DfvDocReaderNS::DfvDocReader::getbt(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, DfvDocReaderNS::SubSectParam&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB5065D0: DfvDocReaderNS::DfvDocReader::wordtowml(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB506AF7: DfvDocReaderNS::DfvDocReader::convertCore(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB506BD5: DfvDocReaderNS::DfvDocReader::convert(std::istream*, icu_52::UnicodeString const&, int, bool, bool, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0x6856B10: DfvInterface::DfvIfObject::getTreeGenerator(OleCompNS::AHOleCompFile::OLEDOCUMENT_TYPE, std::istream*, icu_52::UnicodeString const&, AHCommonNS::AHTempFile&) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x686008A: DfvInterface::DfvIfObject::executeV4(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x686196F: DfvInterface::DfvIfObject::execute(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x68620BB: DfvInterface::DfvIfObject::execute(bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x40DBF4: XfoCommand::XSLCmd::execCommand() (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370== by 0x408F83: main (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370== Address 0x12588a90 is 16 bytes after a block of size 512 alloc'd
==51370== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==51370== by 0xB4D3338: DfvDocReaderNS::DfvDocReader::vbgetfp(OleCompNS::AHOleCompStream*, int, int, unsigned short&, int&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB4F90AF: DfvDocReaderNS::DfvDocReader::getbt(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, DfvDocReaderNS::SubSectParam&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB5065D0: DfvDocReaderNS::DfvDocReader::wordtowml(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB506AF7: DfvDocReaderNS::DfvDocReader::convertCore(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB506BD5: DfvDocReaderNS::DfvDocReader::convert(std::istream*, icu_52::UnicodeString const&, int, bool, bool, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0x6856B10: DfvInterface::DfvIfObject::getTreeGenerator(OleCompNS::AHOleCompFile::OLEDOCUMENT_TYPE, std::istream*, icu_52::UnicodeString const&, AHCommonNS::AHTempFile&) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x686008A: DfvInterface::DfvIfObject::executeV4(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x686196F: DfvInterface::DfvIfObject::execute(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x68620BB: DfvInterface::DfvIfObject::execute(bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x40DBF4: XfoCommand::XSLCmd::execCommand() (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370== by 0x408F83: main (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370==
==51370== Invalid write of size 8
==51370== at 0xB4D36E0: DfvDocReaderNS::DfvDocReader::vbgetfp(OleCompNS::AHOleCompStream*, int, int, unsigned short&, int&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB4F90AF: DfvDocReaderNS::DfvDocReader::getbt(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, DfvDocReaderNS::SubSectParam&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB5065D0: DfvDocReaderNS::DfvDocReader::wordtowml(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB506AF7: DfvDocReaderNS::DfvDocReader::convertCore(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB506BD5: DfvDocReaderNS::DfvDocReader::convert(std::istream*, icu_52::UnicodeString const&, int, bool, bool, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0x6856B10: DfvInterface::DfvIfObject::getTreeGenerator(OleCompNS::AHOleCompFile::OLEDOCUMENT_TYPE, std::istream*, icu_52::UnicodeString const&, AHCommonNS::AHTempFile&) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x686008A: DfvInterface::DfvIfObject::executeV4(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x686196F: DfvInterface::DfvIfObject::execute(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x68620BB: DfvInterface::DfvIfObject::execute(bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x40DBF4: XfoCommand::XSLCmd::execCommand() (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370== by 0x408F83: main (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370== Address 0x12588ab0 is 16 bytes before an unallocated block of size 2,708,768 in arena "client"
==51370==
==51370== Invalid write of size 8
==51370== at 0xB4D36E5: DfvDocReaderNS::DfvDocReader::vbgetfp(OleCompNS::AHOleCompStream*, int, int, unsigned short&, int&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB4F90AF: DfvDocReaderNS::DfvDocReader::getbt(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, DfvDocReaderNS::SubSectParam&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB5065D0: DfvDocReaderNS::DfvDocReader::wordtowml(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB506AF7: DfvDocReaderNS::DfvDocReader::convertCore(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0xB506BD5: DfvDocReaderNS::DfvDocReader::convert(std::istream*, icu_52::UnicodeString const&, int, bool, bool, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370== by 0x6856B10: DfvInterface::DfvIfObject::getTreeGenerator(OleCompNS::AHOleCompFile::OLEDOCUMENT_TYPE, std::istream*, icu_52::UnicodeString const&, AHCommonNS::AHTempFile&) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x686008A: DfvInterface::DfvIfObject::executeV4(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x686196F: DfvInterface::DfvIfObject::execute(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x68620BB: DfvInterface::DfvIfObject::execute(bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370== by 0x40DBF4: XfoCommand::XSLCmd::execCommand() (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370== by 0x408F83: main (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370== Address 0x12588aa0 is 32 bytes before an unallocated block of size 2,708,768 in arena "client"
==51370==
valgrind: m_mallocfree.c:303 (get_bszB_as_is): Assertion 'bszB_lo == bszB_hi' failed.
valgrind: Heap block lo/hi size mismatch: lo = 576, hi = 0.
This is probably caused by your program erroneously writing past the
end of a heap block and corrupting heap metadata. If you fix any
invalid writes reported by Memcheck, this assertion failure will
probably go away. Please try that before reporting this as a bug.
Timeline
2018-05-21 - Vendor Disclosure
2018-07-10 - Public Release
Discovered by Marcin ‘Icewall’ Noga of Cisco Talos.