Talos Vulnerability Report

TALOS-2017-0298

Corel PHOTO-PAINT X8 TIFF Filter Code Execution Vulnerability

July 20, 2017
CVE Number

CVE-2017-2804

Summary

A remote out of bound write vulnerability exists in the TIFF parsing functionality of Core PHOTO-PAINT X8 18.1.0.661. A specially crafted TIFF file can cause a vulnerability resulting in potential memory corruption. An attacker can send the victim a specific TIFF file to trigger this vulnerability.

Tested Versions

Corel PHOTO-PAINT X8 (Corel TIFF Import/Export Filter (64-Bit) - 18.1.0.661) - x64 & x86 version

Product URLs

http://corel.com

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-787 - Out-of-bounds Write

Details

An remote memory corruption vulnerability exists in the TIFF parsing functionality of Corel PHOTO-PAINT. A specially crafted TIFF file can cause a vulnerability resulting in potential memory corruption.

Module used in this vulnerability is described below:

start    end        module name
31980000 319a2000   IETIF      (export symbols)       c:\Program Files\Corel\CorelDRAW Graphics Suite X8\Filters\IETIF.FLT
	Loaded symbol image file: c:\Program Files\Corel\CorelDRAW Graphics Suite X8\Filters\IETIF.FLT
	Image path: c:\Program Files\Corel\CorelDRAW Graphics Suite X8\Filters\IETIF.FLT
	Image name: IETIF.FLT
	Timestamp:        Fri Jun 24 18:14:13 2016 (576DDAE5)
	CheckSum:         00022E36
	ImageSize:        00022000
	File version:     18.1.0.661

While parsing a TIFF file, a tag of type 0x111 can be given. In this tag, there is a count attribute used to dictate further information to read from the file.

<class tiff.Entry> '3'
[30] <instance tiff.DirectoryTag 'tag'> StripOffsets(0x111)
[32] <instance tiff.DirectoryType 'type'> BYTE(0x1)
[34] <instance pint.uint32_t 'count'> 0x00000001 (1)
[38] <instance tiff.BYTE 'value'> 0x00 (0)
[39] <instance dynamic.block(3) 'padding'> "\x00\x00\x00"
[3c] <instance ptype.undefined 'pointer'> ...

If there is no more data to read from the file, ReadFile will return 0 for the number of bytes read from the file.

CDRFLT!FLTCLIPDATA::GetClrUsed+0x28ad:
.text:1001FA1D 010                 lea     eax, [esp+10h+NumberOfBytesRead]
.text:1001FA21 010                 push    eax             ; Bytes read written to this address
.text:1001FA22 014                 push    [esp+14h+nNumberOfBytesToRead] 
.text:1001FA26 018                 push    [esp+18h+lpBuffer] 
.text:1001FA2A 01C                 push    dword ptr [esi+40h] 
.text:1001FA2D 020                 call    ds:ReadFile ; NumberOfBytesRead is set to 0
.text:1001FA33 00C                 neg     eax
.text:1001FA35 00C                 lea     ecx, [esp+0Ch+var_8]
.text:1001FA39 00C                 sbb     esi, esi
.text:1001FA3B 00C                 and     esi, [esp+0Ch+NumberOfBytesRead]
.text:1001FA3F 00C                 call    ds:mfc140u_1052 ; Doesn't modify esi
.text:1001FA45 00C                 mov     eax, esi 	   ; esi (0) is returned
.text:1001FA47 00C                 pop     esi
.text:1001FA48 008                 add     esp, 8
.text:1001FA4B 000                 retn    0Ch

This value is saved at offset 0x10 for later use.

IETIF!FilterEntry04+0x8c4a:
.text:1000AF9A 030 FF D0                   call    eax             ; ReadFile function from above
.text:1000AF9C 024 89 45 10                mov     [ebp+10h], eax  ; 0 value written

The function presented below is typically executed 3 times (assuming our POC is being parsed):

1st pass: 8 bytes are read (TIFF initial/basic header)
2nd pass: number of bytes is calculated by this formula: image file directory num entries * 12 (size of entry)
3rd pass: in our case -1 bytes (large negative number)

IETIF!FilterEntry04+0xaa00:
.text:0001CD50 ; int __stdcall memcpy_proc(void *Dst, int)
.text:0001CD50 memcpy_proc     proc near               ; CODE XREF: sub_18110+F3p
.text:0001CD50                                         ; sub_184A0:loc_1869Dp ...
.text:0001CD50
.text:0001CD50 Dst             = dword ptr  4
.text:0001CD50 arg_4           = dword ptr  8
.text:0001CD50
.text:0001CD50                 push    ebx             
.text:0001CD51                 mov     ebx, [esp+4+Dst] 
.text:0001CD55                 push    esi
.text:0001CD56                 mov     esi, ecx
.text:0001CD58                 push    edi
.text:0001CD59                 mov     edi, [esp+0Ch+arg_4]
.text:0001CD5D                 mov     edx, [esi+4]
.text:0001CD60                 add     edi, [esi+8]
.text:0001CD63                 add     edx, [esi+8]
.text:0001CD66                 mov     eax, [esi+10h]  ; eax=how many bytes to read? 
.text:0001CD69                 cmp     edi, eax        ; but eax can be forced to be 0
.text:0001CD6B                 jle     short loc_1CDCA ; less than (good read)
.text:0001CD6D                 nop     dword ptr [eax]
.text:0001CD70
.text:0001CD70 loc_1CD70:                              ; CODE XREF: memcpy_proc+78j
.text:0001CD70                 sub     eax, [esi+8]    ; 0 bytes - 1 bytes = -1 (infinite)
.text:0001CD73                 push    eax             ; Size
.text:0001CD74                 push    edx             ; Src
.text:0001CD75                 push    ebx             ; Dst
.text:0001CD76                 call    memcpy          ; bug
.text:0001CD7B                 mov     eax, [esi+10h]
.text:0001CD7E                 add     esp, 0Ch
.text:0001CD81                 sub     eax, [esi+8]
.text:0001CD84                 sub     edi, [esi+10h]
.text:0001CD87                 add     ebx, eax
.text:0001CD89                 mov     eax, [esi]
.text:0001CD8B                 push    dword ptr [esi+0Ch]
.text:0001CD8E                 push    dword ptr [esi+4]
.text:0001CD91                 push    eax
.text:0001CD92                 mov     eax, [eax+1B8h]
.text:0001CD98                 call    eax
.text:0001CD9A                 mov     [esi+10h], eax
.text:0001CD9D                 cmp     eax, [esi+0Ch]
.text:0001CDA0                 jge     short loc_1CDB9
.text:0001CDA2                 cmp     eax, edi
.text:0001CDA4                 jge     short loc_1CDB9
.text:0001CDA6                 mov     eax, [esi]
.text:0001CDA8                 mov     dword ptr [eax+78h], 6773h
.text:0001CDAF                 mov     edi, [esi+10h]
.text:0001CDB2                 mov     dword ptr [esi+18h], 1
.text:0001CDB9
.text:0001CDB9 loc_1CDB9:                              ; CODE XREF: memcpy_proc+50j
.text:0001CDB9                                         ; memcpy_proc+54j
.text:0001CDB9                 mov     eax, [esi+10h]
.text:0001CDBC                 mov     edx, [esi+4]
.text:0001CDBF                 mov     dword ptr [esi+8], 0
.text:0001CDC6                 cmp     edi, eax
.text:0001CDC8                 jg      short loc_1CD70
.text:0001CDCA
.text:0001CDCA loc_1CDCA:                              ; CODE XREF: memcpy_proc+1Bj
.text:0001CDCA                 mov     eax, edi
.text:0001CDCC                 sub     eax, [esi+8]
.text:0001CDCF                 push    eax             ; Size
.text:0001CDD0                 push    edx             ; Src
.text:0001CDD1                 push    ebx             ; Dst
.text:0001CDD2                 call    memcpy
.text:0001CDD7                 mov     ecx, [esi+10h]
.text:0001CDDA                 add     esp, 0Ch
.text:0001CDDD                 test    ecx, ecx
.text:0001CDDF                 jz      short loc_1CDE9
.text:0001CDE1
.text:0001CDE1 loc_1CDE1:                              ; CODE XREF: memcpy_proc+97j
.text:0001CDE1                 cmp     edi, ecx
.text:0001CDE3                 jle     short loc_1CDE9
.text:0001CDE5                 sub     edi, ecx
.text:0001CDE7                 jmp     short loc_1CDE1
.text:0001CDE9 ; ---------------------------------------------------------------------------
.text:0001CDE9
.text:0001CDE9 loc_1CDE9:                              ; CODE XREF: memcpy_proc+8Fj
.text:0001CDE9                                         ; memcpy_proc+93j
.text:0001CDE9                 xor     eax, eax
.text:0001CDEB                 test    ecx, ecx
.text:0001CDED                 cmovnz  eax, edi
.text:0001CDF0                 pop     edi
.text:0001CDF1                 mov     [esi+8], eax
.text:0001CDF4                 pop     esi
.text:0001CDF5                 pop     ebx
.text:0001CDF6                 retn    8
.text:0001CDF6 memcpy_proc     endp

Using the saved 0 value from ReadFile in a subtraction (0x0001CD70), a 0xffffffff value is generated and passed as the size to a memcpy operation.

Crash Information

0:000> !analyze -v *************************** * * * Exception Analysis * * * ***************************

FAULTING_IP: 
VCRUNTIME140!memcpy+57
FAULTING_IP: 
VCRUNTIME140!memcpy+57
FAULTING_IP: 
VCRUNTIME140!memcpy+57 [f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 135]
 [f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 135]
 [f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 135]
00007ffe`2b9ec877 f3a4            rep movs byte ptr [rdi],byte ptr [rsi]
00007ffe`2b9ec877 f3a4            rep movs byte ptr [rdi],byte ptr [rsi]
00007ffe`2b9ec877 f3a4            rep movs byte ptr [rdi],byte ptr [rsi]

EXCEPTION_RECORD: 
EXCEPTION_RECORD: 
EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
 ffffffffffffffff -- (.exr 0xffffffffffffffff)
 ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00007ffe2b9ec877 (VCRUNTIME140!memcpy+0x0000000000000057)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 0000016759f1b000
Attempt to write to address 0000016759f1b000
ExceptionAddress: 00007ffe2b9ec877 (VCRUNTIME140!memcpy+0x0000000000000057)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 0000016759f1b000
Attempt to write to address 0000016759f1b000
ExceptionAddress: 00007ffe2b9ec877 (VCRUNTIME140!memcpy+0x0000000000000057)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 0000016759f1b000
Attempt to write to address 0000016759f1b000

CONTEXT: 
CONTEXT: 
CONTEXT:  0000000000000000 -- (.cxr 0x0;r)
 0000000000000000 -- (.cxr 0x0;r)
 0000000000000000 -- (.cxr 0x0;r)
rax=0000016759ed15a0 rbx=0000016759e49830 rcx=fffffffffffb659f
rdx=ffffffffffff5b61 rsi=0000016759f10b61 rdi=0000016759f1b000
rip=00007ffe2b9ec877 rsp=00000037e49cc218 rbp=0000016759ed15a0
 r8=0000000000000000  r9=0000000000000000 r10=0000016759ec7101
r11=0000000000000002 r12=0000016759ec5b60 r13=0000000000000000
r14=0000016759ed15a0 r15=0000016759ed15a0
iopl=0         nv up ei ng nz na pe cy
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010283
VCRUNTIME140!memcpy+0x57:
00007ffe`2b9ec877 f3a4            rep movs byte ptr [rdi],byte ptr [rsi]
rax=0000016759ed15a0 rbx=0000016759e49830 rcx=fffffffffffb659f
rdx=ffffffffffff5b61 rsi=0000016759f10b61 rdi=0000016759f1b000
rip=00007ffe2b9ec877 rsp=00000037e49cc218 rbp=0000016759ed15a0
 r8=0000000000000000  r9=0000000000000000 r10=0000016759ec7101
r11=0000000000000002 r12=0000016759ec5b60 r13=0000000000000000
r14=0000016759ed15a0 r15=0000016759ed15a0
iopl=0         nv up ei ng nz na pe cy
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010283
VCRUNTIME140!memcpy+0x57:
00007ffe`2b9ec877 f3a4            rep movs byte ptr [rdi],byte ptr [rsi]
rax=0000016759ed15a0 rbx=0000016759e49830 rcx=fffffffffffb659f
rdx=ffffffffffff5b61 rsi=0000016759f10b61 rdi=0000016759f1b000
rip=00007ffe2b9ec877 rsp=00000037e49cc218 rbp=0000016759ed15a0
 r8=0000000000000000  r9=0000000000000000 r10=0000016759ec7101
r11=0000000000000002 r12=0000016759ec5b60 r13=0000000000000000
r14=0000016759ed15a0 r15=0000016759ed15a0
iopl=0         nv up ei ng nz na pe cy
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010283
VCRUNTIME140!memcpy+0x57:
00007ffe`2b9ec877 f3a4            rep movs byte ptr [rdi],byte ptr [rsi]

FAULTING_THREAD:  0000000000001684

DEFAULT_BUCKET_ID:  WRONG_SYMBOLS

PROCESS_NAME:  CorelPP-APP.exe

OVERLAPPED_MODULE: Address regions for 'icm32' and 'lcms2.dll' overlap

ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo

EXCEPTION_PARAMETER1:  0000000000000001

EXCEPTION_PARAMETER2:  0000016759f1b000

WRITE_ADDRESS:  0000016759f1b000 

FOLLOWUP_IP: 
VCRUNTIME140!memcpy+57
FAULTING_THREAD:  0000000000001684

DEFAULT_BUCKET_ID:  WRONG_SYMBOLS

PROCESS_NAME:  CorelPP-APP.exe

OVERLAPPED_MODULE: Address regions for 'icm32' and 'lcms2.dll' overlap

ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo

EXCEPTION_PARAMETER1:  0000000000000001

EXCEPTION_PARAMETER2:  0000016759f1b000

WRITE_ADDRESS:  0000016759f1b000 

FOLLOWUP_IP: 
VCRUNTIME140!memcpy+57
FAULTING_THREAD:  0000000000001684

DEFAULT_BUCKET_ID:  WRONG_SYMBOLS

PROCESS_NAME:  CorelPP-APP.exe

OVERLAPPED_MODULE: Address regions for 'icm32' and 'lcms2.dll' overlap

ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo

EXCEPTION_PARAMETER1:  0000000000000001

EXCEPTION_PARAMETER2:  0000016759f1b000

WRITE_ADDRESS:  0000016759f1b000 

FOLLOWUP_IP: 
VCRUNTIME140!memcpy+57 [f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 135]
 [f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 135]
 [f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 135]
00007ffe`2b9ec877 f3a4            rep movs byte ptr [rdi],byte ptr [rsi]
00007ffe`2b9ec877 f3a4            rep movs byte ptr [rdi],byte ptr [rsi]
00007ffe`2b9ec877 f3a4            rep movs byte ptr [rdi],byte ptr [rsi]

NTGLOBALFLAG:  70

APPLICATION_VERIFIER_FLAGS:  0

APP:  corelpp-app.exe

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

MANAGED_STACK: !dumpstack -EE

NTGLOBALFLAG:  70

APPLICATION_VERIFIER_FLAGS:  0

APP:  corelpp-app.exe

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

MANAGED_STACK: !dumpstack -EE

NTGLOBALFLAG:  70

APPLICATION_VERIFIER_FLAGS:  0

APP:  corelpp-app.exe

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

MANAGED_STACK: !dumpstack -EE
OS Thread Id: 0x1684 OS Thread Id: 0x1684 OS Thread Id: 0x1684 (0)
(0)
(0)
Current frame: Current frame: Current frame: 


Child-SP         RetAddr          Caller, Callee
Child-SP         RetAddr          Caller, Callee
Child-SP         RetAddr          Caller, Callee

PRIMARY_PROBLEM_CLASS:  WRONG_SYMBOLS

BUGCHECK_STR:  APPLICATION_FAULT_WRONG_SYMBOLS

LAST_CONTROL_TRANSFER:  from 00007ffe0390ead0 to 00007ffe2b9ec877

STACK_TEXT:  
PRIMARY_PROBLEM_CLASS:  WRONG_SYMBOLS

BUGCHECK_STR:  APPLICATION_FAULT_WRONG_SYMBOLS

LAST_CONTROL_TRANSFER:  from 00007ffe0390ead0 to 00007ffe2b9ec877

STACK_TEXT:  
PRIMARY_PROBLEM_CLASS:  WRONG_SYMBOLS

BUGCHECK_STR:  APPLICATION_FAULT_WRONG_SYMBOLS

LAST_CONTROL_TRANSFER:  from 00007ffe0390ead0 to 00007ffe2b9ec877

STACK_TEXT:  
00000037`e49cc218 00007ffe`0390ead0 : 00000000`00000000 00000000`00000000 00000037`002b40d5 00000037`00000001 :     
VCRUNTIME140!memcpy+0x57
00000037`e49cc220 00007ffe`0390d4f0 : 00000000`00000001 00000167`59eb8830 00007ffe`0390af50 00000000`00000000 : 
IETIF!FilterEntry04+0xc690
00000037`e49cc250 00007ffe`0390cb51 : 00000000`00000000 00000000`00000001 00000167`59eb8830 00007ffe`0390af50 : 
IETIF!FilterEntry04+0xb0b0
00000037`e49cc300 00007ffe`0390d70e : 00000167`00000001 00000167`00000001 00007ffe`0390af50 00000167`59ed2200 : 
IETIF!FilterEntry04+0xa711
00000037`e49cc380 00007ffe`03901ff0 : 00000000`00000000 00000167`59eb8830 00000167`59eb8830 00000000`00000000 : 
IETIF!FilterEntry04+0xb2ce
00000037`e49cc420 00007ffe`14bf097d : 00000000`00000001 0000015f`2e7607f0 00000000`00000180 00000000`00000001 : 
IETIF!FilterEntry+0x90
00000037`e49cc450 00007ffe`14bde7ff : 00000000`00000000 00000000`00000001 00000167`59eb8830 00000000`00000000 : 
CDRFLT!FLTCLIPDATA::GetClrUsed+0x101d
00000037`e49cc490 00007ffe`10702298 : 00000000`00000000 00000000`00000000 00000000`00000030 00000000`00000001 : 
CDRFLT!CPT_DROP_SHADOW::LoadFrom+0x4ff
00000037`e49cc5c0 00007ffe`106fac66 : 0000015f`00000007 00007ffe`3bcfacee 00000037`e49cc9dc 00000167`59ebb1d0 : 
corelpp!CTool::GetAutoScroll+0x630a8
00000037`e49cc6c0 00007ffe`106f7e91 : 0000015f`2ab20000 00000000`00000038 00000000`00000001 00007ffe`3bd08097 : 
corelpp!CTool::GetAutoScroll+0x5ba76
00000037`e49cc900 00007ffe`106f761c : 00000167`59d29270 00000167`59eb8830 0000015f`2ab87b90 00000167`59d29270 :   
corelpp!CTool::GetAutoScroll+0x58ca1
00000037`e49cd040 00007ffe`105fea42 : 00000167`599492b0 00000167`59d29270 0000015f`2eb072a0 00007ffe`10648f56 : 
corelpp!CTool::GetAutoScroll+0x5842c
00000037`e49cdd80 00007ffe`105ffc79 : 00000167`59d29270 00007ffe`10b490d0 00000167`599492b0 00000167`599492b0 : 
corelpp!CPntCom::CPntCom+0x28b32
00000037`e49cdeb0 00007ffe`106484b7 : 00007ffe`10b490d0 00000037`e49ce2b0 00000167`599492b0 00000167`59eb7398 : 
corelpp!CPntCom::CPntCom+0x29d69
00000037`e49ce020 00007ffe`10649f6b : 00007ffe`10e13ba0 00000037`e49ce2b0 00000167`599492b0 ffffffff`fcdcfb70 : 
corelpp!CPntCom::CPntCom+0x725a7
00000037`e49ce060 00007ffe`106483aa : 00000037`e49ce1b0 00000037`e49cee58 00000037`e49ce2b0 00000167`599492b0 : 
corelpp!CPntCom::CPntCom+0x7405b
00000037`e49ce160 00007ffe`10a1ab4e : 00000037`e49cee58 00000037`e49ce2b0 00000167`59eb7398 00000037`e49ce1b0 : 
corelpp!CPntCom::CPntCom+0x7249a
00000037`e49ce1b0 00007ffe`10a194d9 : 00000037`e49cee20 00000167`58491e20 00000000`00000000 00000167`59e5aa18 : 
corelpp!GetComponentTool+0xa58de
00000037`e49ceda0 00007ffe`10a16d26 : 0000015f`2ac1ea30 0000015f`00000028 00000167`58491ba8 00007ffe`11b003d0 : 
corelpp!GetComponentTool+0xa4269
00000037`e49ceed0 00007ffe`105b9c7e : 00000037`e49cef28 0000015f`2f05d990 00007ffe`10c4bbe4 00000167`59aa6ee8 : 
corelpp!GetComponentTool+0xa1ab6
00000037`e49cef00 00007ffe`105b4f29 : 0000015f`2e60b768 0000015f`2f05d990 00000167`59aa6ee8 00007ffe`16c63d66 : 
corelpp!CTool::GetNumStrokes+0x231e
00000037`e49cef50 00007ffe`105ec3cc : 00000000`00000000 0000015f`2e60b768 0000015f`2eb072a0 0000015f`2f05a590 : 
corelpp!StartApp+0xc139
00000037`e49cf020 00007ffe`10a1d6f8 : 00000000`00000000 00000000`00000001 0000015f`2eb072a0 00000000`00000000 : 
corelpp!CPntCom::CPntCom+0x164bc
00000037`e49cf070 00007ffe`105a8c87 : 00000167`59e3b898 00000167`00000000 00000037`e49cf370 00000000`00000000 : 
corelpp!GetComponentTool+0xa8488
00000037`e49cf0c0 00007ffe`1169fa1b : 0000015f`2eaffb40 00000037`e49cf370 00000000`00000000 0000015f`2ab41428 : 
corelpp!CTool::GetToolMode+0x4ac7
00000037`e49cf0f0 00007ffe`1169f6e9 : 00000037`e49cf370 00000000`00000001 00000000`00000001 0000015f`2eaff600 :      
CrlFrmWk!WCmnUI_FrameWorkApp::OnIdle+0xdb
00000037`e49cf130 00007ffe`1169f849 : 0000015f`2eb00120 00000037`e49cf370 00000037`e49cf300 4b18a26b`5f3d1849 : 
CrlFrmWk!WCmnUI_FrameWorkApp::RunMessageLoop+0x99
00000037`e49cf1c0 00007ffe`11683e49 : 00000167`58660188 0000015f`2ac1edb0 0000015f`2ac1edb0 0000015f`2ea4d098 : 
CrlFrmWk!WCmnUI_FrameWorkApp::Run+0x69
00000037`e49cf200 00007ffe`105a9069 : 00007ffe`17286a58 0000015f`2abb7450 00007ffe`17286a58 00000000`00000000 : 
CrlFrmWk!IAppFramework::GetInstance+0x11a9
00000037`e49cf5d0 00007ff6`656a1d92 : 00000037`e49cf750 00000037`e49cf750 00000000`00000000 0000015f`2ab22601 : 
corelpp!StartApp+0x279
00000037`e49cf6b0 00007ff6`656a15a6 : 00000037`e49cf750 00000000`0000000a 00000000`00000000 00000000`00000003 : 
CorelPP_APP+0x1d92
00000037`e49cf710 00007ff6`656a7466 : 00000000`00000000 00007ff6`656afd90 00000000`00000000 00000000`00000000 : 
CorelPP_APP+0x15a6
00000037`e49cf800 00007ffe`396c8364 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 
CorelPP_APP+0x7466
00000037`e49cf840 00007ffe`3bd370d1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 
KERNEL32!BaseThreadInitThunk+0x14
00000037`e49cf870 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 
ntdll!RtlUserThreadStart+0x21

00000037`e49cc218 00007ffe`0390ead0 : 00000000`00000000 00000000`00000000 00000037`002b40d5 00000037`00000001 : 
VCRUNTIME140!memcpy+0x57
00000037`e49cc220 00007ffe`0390d4f0 : 00000000`00000001 00000167`59eb8830 00007ffe`0390af50 00000000`00000000 : 
IETIF!FilterEntry04+0xc690
00000037`e49cc250 00007ffe`0390cb51 : 00000000`00000000 00000000`00000001 00000167`59eb8830 00007ffe`0390af50 : 
IETIF!FilterEntry04+0xb0b0
00000037`e49cc300 00007ffe`0390d70e : 00000167`00000001 00000167`00000001 00007ffe`0390af50 00000167`59ed2200 : 
IETIF!FilterEntry04+0xa711
00000037`e49cc380 00007ffe`03901ff0 : 00000000`00000000 00000167`59eb8830 00000167`59eb8830 00000000`00000000 : 
IETIF!FilterEntry04+0xb2ce
00000037`e49cc420 00007ffe`14bf097d : 00000000`00000001 0000015f`2e7607f0 00000000`00000180 00000000`00000001 : 
IETIF!FilterEntry+0x90
00000037`e49cc450 00007ffe`14bde7ff : 00000000`00000000 00000000`00000001 00000167`59eb8830 00000000`00000000 : 
CDRFLT!FLTCLIPDATA::GetClrUsed+0x101d
00000037`e49cc490 00007ffe`10702298 : 00000000`00000000 00000000`00000000 00000000`00000030 00000000`00000001 : 
CDRFLT!CPT_DROP_SHADOW::LoadFrom+0x4ff
00000037`e49cc5c0 00007ffe`106fac66 : 0000015f`00000007 00007ffe`3bcfacee 00000037`e49cc9dc 00000167`59ebb1d0 : 
corelpp!CTool::GetAutoScroll+0x630a8
00000037`e49cc6c0 00007ffe`106f7e91 : 0000015f`2ab20000 00000000`00000038 00000000`00000001 00007ffe`3bd08097 : 
corelpp!CTool::GetAutoScroll+0x5ba76
00000037`e49cc900 00007ffe`106f761c : 00000167`59d29270 00000167`59eb8830 0000015f`2ab87b90 00000167`59d29270 : 
corelpp!CTool::GetAutoScroll+0x58ca1
00000037`e49cd040 00007ffe`105fea42 : 00000167`599492b0 00000167`59d29270 0000015f`2eb072a0 00007ffe`10648f56 : 
corelpp!CTool::GetAutoScroll+0x5842c
00000037`e49cdd80 00007ffe`105ffc79 : 00000167`59d29270 00007ffe`10b490d0 00000167`599492b0 00000167`599492b0 : 
corelpp!CPntCom::CPntCom+0x28b32
00000037`e49cdeb0 00007ffe`106484b7 : 00007ffe`10b490d0 00000037`e49ce2b0 00000167`599492b0 00000167`59eb7398 : 
corelpp!CPntCom::CPntCom+0x29d69
00000037`e49ce020 00007ffe`10649f6b : 00007ffe`10e13ba0 00000037`e49ce2b0 00000167`599492b0 ffffffff`fcdcfb70 :      
corelpp!CPntCom::CPntCom+0x725a7
00000037`e49ce060 00007ffe`106483aa : 00000037`e49ce1b0 00000037`e49cee58 00000037`e49ce2b0 00000167`599492b0 : 
corelpp!CPntCom::CPntCom+0x7405b
00000037`e49ce160 00007ffe`10a1ab4e : 00000037`e49cee58 00000037`e49ce2b0 00000167`59eb7398 00000037`e49ce1b0 : 
corelpp!CPntCom::CPntCom+0x7249a
00000037`e49ce1b0 00007ffe`10a194d9 : 00000037`e49cee20 00000167`58491e20 00000000`00000000 00000167`59e5aa18 : 
corelpp!GetComponentTool+0xa58de
00000037`e49ceda0 00007ffe`10a16d26 : 0000015f`2ac1ea30 0000015f`00000028 00000167`58491ba8 00007ffe`11b003d0 : 
corelpp!GetComponentTool+0xa4269
00000037`e49ceed0 00007ffe`105b9c7e : 00000037`e49cef28 0000015f`2f05d990 00007ffe`10c4bbe4 00000167`59aa6ee8 : 
corelpp!GetComponentTool+0xa1ab6
00000037`e49cef00 00007ffe`105b4f29 : 0000015f`2e60b768 0000015f`2f05d990 00000167`59aa6ee8 00007ffe`16c63d66 : 
corelpp!CTool::GetNumStrokes+0x231e
00000037`e49cef50 00007ffe`105ec3cc : 00000000`00000000 0000015f`2e60b768 0000015f`2eb072a0 0000015f`2f05a590 : 
corelpp!StartApp+0xc139
00000037`e49cf020 00007ffe`10a1d6f8 : 00000000`00000000 00000000`00000001 0000015f`2eb072a0 00000000`00000000 : 
corelpp!CPntCom::CPntCom+0x164bc
00000037`e49cf070 00007ffe`105a8c87 : 00000167`59e3b898 00000167`00000000 00000037`e49cf370 00000000`00000000 : 
corelpp!GetComponentTool+0xa8488
00000037`e49cf0c0 00007ffe`1169fa1b : 0000015f`2eaffb40 00000037`e49cf370 00000000`00000000 0000015f`2ab41428 : 
corelpp!CTool::GetToolMode+0x4ac7
00000037`e49cf0f0 00007ffe`1169f6e9 : 00000037`e49cf370 00000000`00000001 00000000`00000001 0000015f`2eaff600 : 
CrlFrmWk!WCmnUI_FrameWorkApp::OnIdle+0xdb
00000037`e49cf130 00007ffe`1169f849 : 0000015f`2eb00120 00000037`e49cf370 00000037`e49cf300 4b18a26b`5f3d1849 : 
CrlFrmWk!WCmnUI_FrameWorkApp::RunMessageLoop+0x99
00000037`e49cf1c0 00007ffe`11683e49 : 00000167`58660188 0000015f`2ac1edb0 0000015f`2ac1edb0 0000015f`2ea4d098 : 
CrlFrmWk!WCmnUI_FrameWorkApp::Run+0x69
00000037`e49cf200 00007ffe`105a9069 : 00007ffe`17286a58 0000015f`2abb7450 00007ffe`17286a58 00000000`00000000 : 
CrlFrmWk!IAppFramework::GetInstance+0x11a9
00000037`e49cf5d0 00007ff6`656a1d92 : 00000037`e49cf750 00000037`e49cf750 00000000`00000000 0000015f`2ab22601 : 
corelpp!StartApp+0x279
00000037`e49cf6b0 00007ff6`656a15a6 : 00000037`e49cf750 00000000`0000000a 00000000`00000000 00000000`00000003 :   
CorelPP_APP+0x1d92
00000037`e49cf710 00007ff6`656a7466 : 00000000`00000000 00007ff6`656afd90 00000000`00000000 00000000`00000000 : 
CorelPP_APP+0x15a6
00000037`e49cf800 00007ffe`396c8364 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 
CorelPP_APP+0x7466
00000037`e49cf840 00007ffe`3bd370d1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 
KERNEL32!BaseThreadInitThunk+0x14
00000037`e49cf870 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 
ntdll!RtlUserThreadStart+0x21

00000037`e49cc218 00007ffe`0390ead0 : 00000000`00000000 00000000`00000000 00000037`002b40d5 00000037`00000001 : 
VCRUNTIME140!memcpy+0x57
00000037`e49cc220 00007ffe`0390d4f0 : 00000000`00000001 00000167`59eb8830 00007ffe`0390af50 00000000`00000000 : 
IETIF!FilterEntry04+0xc690
00000037`e49cc250 00007ffe`0390cb51 : 00000000`00000000 00000000`00000001 00000167`59eb8830 00007ffe`0390af50 : 
IETIF!FilterEntry04+0xb0b0
00000037`e49cc300 00007ffe`0390d70e : 00000167`00000001 00000167`00000001 00007ffe`0390af50 00000167`59ed2200 : 
IETIF!FilterEntry04+0xa711
00000037`e49cc380 00007ffe`03901ff0 : 00000000`00000000 00000167`59eb8830 00000167`59eb8830 00000000`00000000 : 
IETIF!FilterEntry04+0xb2ce
00000037`e49cc420 00007ffe`14bf097d : 00000000`00000001 0000015f`2e7607f0 00000000`00000180 00000000`00000001 : 
IETIF!FilterEntry+0x90
00000037`e49cc450 00007ffe`14bde7ff : 00000000`00000000 00000000`00000001 00000167`59eb8830 00000000`00000000 : 
CDRFLT!FLTCLIPDATA::GetClrUsed+0x101d
00000037`e49cc490 00007ffe`10702298 : 00000000`00000000 00000000`00000000 00000000`00000030 00000000`00000001 : 
CDRFLT!CPT_DROP_SHADOW::LoadFrom+0x4ff
00000037`e49cc5c0 00007ffe`106fac66 : 0000015f`00000007 00007ffe`3bcfacee 00000037`e49cc9dc 00000167`59ebb1d0 : 
corelpp!CTool::GetAutoScroll+0x630a8
00000037`e49cc6c0 00007ffe`106f7e91 : 0000015f`2ab20000 00000000`00000038 00000000`00000001 00007ffe`3bd08097 : 
corelpp!CTool::GetAutoScroll+0x5ba76
00000037`e49cc900 00007ffe`106f761c : 00000167`59d29270 00000167`59eb8830 0000015f`2ab87b90 00000167`59d29270 :     
corelpp!CTool::GetAutoScroll+0x58ca1
00000037`e49cd040 00007ffe`105fea42 : 00000167`599492b0 00000167`59d29270 0000015f`2eb072a0 00007ffe`10648f56 : 
corelpp!CTool::GetAutoScroll+0x5842c
00000037`e49cdd80 00007ffe`105ffc79 : 00000167`59d29270 00007ffe`10b490d0 00000167`599492b0 00000167`599492b0 : 
corelpp!CPntCom::CPntCom+0x28b32
00000037`e49cdeb0 00007ffe`106484b7 : 00007ffe`10b490d0 00000037`e49ce2b0 00000167`599492b0 00000167`59eb7398 : 
corelpp!CPntCom::CPntCom+0x29d69
00000037`e49ce020 00007ffe`10649f6b : 00007ffe`10e13ba0 00000037`e49ce2b0 00000167`599492b0 ffffffff`fcdcfb70 : 
corelpp!CPntCom::CPntCom+0x725a7
00000037`e49ce060 00007ffe`106483aa : 00000037`e49ce1b0 00000037`e49cee58 00000037`e49ce2b0 00000167`599492b0 :   
corelpp!CPntCom::CPntCom+0x7405b
00000037`e49ce160 00007ffe`10a1ab4e : 00000037`e49cee58 00000037`e49ce2b0 00000167`59eb7398 00000037`e49ce1b0 : 
corelpp!CPntCom::CPntCom+0x7249a
00000037`e49ce1b0 00007ffe`10a194d9 : 00000037`e49cee20 00000167`58491e20 00000000`00000000 00000167`59e5aa18 : 
corelpp!GetComponentTool+0xa58de
00000037`e49ceda0 00007ffe`10a16d26 : 0000015f`2ac1ea30 0000015f`00000028 00000167`58491ba8 00007ffe`11b003d0 : 
corelpp!GetComponentTool+0xa4269
00000037`e49ceed0 00007ffe`105b9c7e : 00000037`e49cef28 0000015f`2f05d990 00007ffe`10c4bbe4 00000167`59aa6ee8 : 
corelpp!GetComponentTool+0xa1ab6
00000037`e49cef00 00007ffe`105b4f29 : 0000015f`2e60b768 0000015f`2f05d990 00000167`59aa6ee8 00007ffe`16c63d66 : 
corelpp!CTool::GetNumStrokes+0x231e
00000037`e49cef50 00007ffe`105ec3cc : 00000000`00000000 0000015f`2e60b768 0000015f`2eb072a0 0000015f`2f05a590 : 
corelpp!StartApp+0xc139
00000037`e49cf020 00007ffe`10a1d6f8 : 00000000`00000000 00000000`00000001 0000015f`2eb072a0 00000000`00000000 : 
corelpp!CPntCom::CPntCom+0x164bc
00000037`e49cf070 00007ffe`105a8c87 : 00000167`59e3b898 00000167`00000000 00000037`e49cf370 00000000`00000000 : 
corelpp!GetComponentTool+0xa8488
00000037`e49cf0c0 00007ffe`1169fa1b : 0000015f`2eaffb40 00000037`e49cf370 00000000`00000000 0000015f`2ab41428 : 
corelpp!CTool::GetToolMode+0x4ac7
00000037`e49cf0f0 00007ffe`1169f6e9 : 00000037`e49cf370 00000000`00000001 00000000`00000001 0000015f`2eaff600 : 
CrlFrmWk!WCmnUI_FrameWorkApp::OnIdle+0xdb
00000037`e49cf130 00007ffe`1169f849 : 0000015f`2eb00120 00000037`e49cf370 00000037`e49cf300 4b18a26b`5f3d1849 : 
CrlFrmWk!WCmnUI_FrameWorkApp::RunMessageLoop+0x99
00000037`e49cf1c0 00007ffe`11683e49 : 00000167`58660188 0000015f`2ac1edb0 0000015f`2ac1edb0 0000015f`2ea4d098 : 
CrlFrmWk!WCmnUI_FrameWorkApp::Run+0x69
00000037`e49cf200 00007ffe`105a9069 : 00007ffe`17286a58 0000015f`2abb7450 00007ffe`17286a58 00000000`00000000 : 
CrlFrmWk!IAppFramework::GetInstance+0x11a9
00000037`e49cf5d0 00007ff6`656a1d92 : 00000037`e49cf750 00000037`e49cf750 00000000`00000000 0000015f`2ab22601 : 
corelpp!StartApp+0x279
00000037`e49cf6b0 00007ff6`656a15a6 : 00000037`e49cf750 00000000`0000000a 00000000`00000000 00000000`00000003 : 
CorelPP_APP+0x1d92
00000037`e49cf710 00007ff6`656a7466 : 00000000`00000000 00007ff6`656afd90 00000000`00000000 00000000`00000000 : 
CorelPP_APP+0x15a6
00000037`e49cf800 00007ffe`396c8364 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 
CorelPP_APP+0x7466
00000037`e49cf840 00007ffe`3bd370d1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 
KERNEL32!BaseThreadInitThunk+0x14
00000037`e49cf870 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 
ntdll!RtlUserThreadStart+0x21


STACK_COMMAND:  .cxr 0x0 ; kb

FAULTING_SOURCE_LINE:  f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm

FAULTING_SOURCE_FILE:  f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm

FAULTING_SOURCE_LINE_NUMBER:  135

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  vcruntime140!memcpy+57

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: 

STACK_COMMAND:  .cxr 0x0 ; kb

FAULTING_SOURCE_LINE:  f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm

FAULTING_SOURCE_FILE:  f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm

FAULTING_SOURCE_LINE_NUMBER:  135

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  vcruntime140!memcpy+57

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: 

STACK_COMMAND:  .cxr 0x0 ; kb

FAULTING_SOURCE_LINE:  f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm

FAULTING_SOURCE_FILE:  f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm

FAULTING_SOURCE_LINE_NUMBER:  135

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  vcruntime140!memcpy+57

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: VCRUNTIME140
VCRUNTIME140
VCRUNTIME140

IMAGE_NAME:  VCRUNTIME140.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  563c45c0

FAILURE_BUCKET_ID:  WRONG_SYMBOLS_c0000005_VCRUNTIME140.dll!memcpy

BUCKET_ID:  APPLICATION_FAULT_WRONG_SYMBOLS_vcruntime140!memcpy+57

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:wrong_symbols_c0000005_vcruntime140.dll!memcpy

FAILURE_ID_HASH:  {af9e04a5-399b-60ad-9abe-5412f864504e}

Followup: MachineOwner
---------


IMAGE_NAME:  VCRUNTIME140.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  563c45c0

FAILURE_BUCKET_ID:  WRONG_SYMBOLS_c0000005_VCRUNTIME140.dll!memcpy

BUCKET_ID:  APPLICATION_FAULT_WRONG_SYMBOLS_vcruntime140!memcpy+57

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:wrong_symbols_c0000005_vcruntime140.dll!memcpy

FAILURE_ID_HASH:  {af9e04a5-399b-60ad-9abe-5412f864504e}

Followup: MachineOwner
---------


IMAGE_NAME:  VCRUNTIME140.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  563c45c0

FAILURE_BUCKET_ID:  WRONG_SYMBOLS_c0000005_VCRUNTIME140.dll!memcpy

BUCKET_ID:  APPLICATION_FAULT_WRONG_SYMBOLS_vcruntime140!memcpy+57

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:wrong_symbols_c0000005_vcruntime140.dll!memcpy

FAILURE_ID_HASH:  {af9e04a5-399b-60ad-9abe-5412f864504e}

Followup: MachineOwner
---------

Timeline

2017-03-28 - Vendor Disclosure
2017—07-20 - Public Release

Credit

Discovered by a member of Cisco Talos