Talos Vulnerability Report

TALOS-2018-0534

Hyland Perceptive Document Filters Microsoft Word CDATA Code Execution Vulnerability

April 26, 2018
CVE Number

CVE-2018-3851

Summary

An exploitable heap corruption exists in the Microsoft Word to many types conversion functionality of the Hyland Perspective Document Filters version 11.4.0.2647. A crafted Microsoft Word (XML) document can lead to heap corruption resulting in remote code execution. An attacker can provide a specially crafted file to trigger this vulnerability.

Tested Versions

Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux

Product URLs

https://www.hyland.com/en/perceptive#docfilters

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-787: Out-of-bounds Write

Details

This vulnerability is present in the Hyland Document filter conversion which is used for big data, eDiscovery, DLP, email archival, content management, business intelligence and intelligent capture services.
It can convert common formats such as Microsoft's document formats into more usable and easily viewed formats. There is a vulnerability in the conversion process of a Microsoft Word (XML) to JPEG, HTML5 and several other formats. A specially crafted Microsoft Word (XML) file can lead to heap corruption and remote code execution. Let’s investigate this vulnerability:

After we attempt to convert a malicious Microsoft Word (xml) using the Hyland library we see the following state:

isys_doc2text --html5 -o /tmp malformed_doc.xml
[1] File type: Microsoft Word (25); Capabilities: 3 - malformed_doc.xml

Program received signal SIGSEGV, Segmentation fault.
__memcpy_sse2_unaligned () at ../sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S:628
628     ../sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
(rr) bt
#0  __memcpy_sse2_unaligned () at ../sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S:628
#1  0xf6028fef in ISYS_NS::CMemoryStream::Write(void const*, unsigned int) () from ./libISYSshared.so
#2  0xf5fe3c75 in ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) () from ./libISYSshared.so
#3  0xf5fe392f in ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) () from ./libISYSshared.so
#4  0xf5fe392f in ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) () from ./libISYSshared.so
#5  0xf5fdf815 in ISYS_NS::XML::XMLNode::xml(std::string&) () from ./libISYSshared.so
#6  0xf614ae9e in ISYS_NS::CMSWord2003XMLFilesBuilder::ParagraphOrTable(ISYS_NS::XML::XMLNode*) () from ./libISYSshared.so
#7  0xf61414c0 in ISYS_NS::CMSWord2003XML::needFileList() () from ./libISYSshared.so
#8  0xf61416a9 in ISYS_NS::CMSWord2003XML::CMSWord2003XML(ISYS_NS::CStream*) () from ./libISYSshared.so
#9  0xf4aa8ecc in ?? () from ./libISYSreadershd.so
#10 0xf4aa9ef5 in ?? () from ./libISYSreadershd.so
#11 0xf4c3920f in ?? () from ./libISYSreadershd.so
#12 0xf4e7a5d5 in ?? () from ./libISYSreadershd.so
#13 0xf515b6e8 in ?? () from ./libISYSreadershd.so
#14 0xf5163492 in ?? () from ./libISYSreadershd.so
#15 0xf58eeeb3 in ?? () from ./libISYSreaders.so
#16 0xf58f455d in ?? () from ./libISYSreaders.so
#17 0xf7ebc5e3 in IGR_Open_Stream_Ex () from ./libISYS11df.so
#18 0x080590eb in ?? ()
#19 0x08061690 in ?? ()
#20 0x08068c27 in main_doc2text(ISYS_NS::CISYScommander::CResult*, void*) ()
#21 0xf60f873d in ISYS_NS::CISYScommander::CTool::execute(ISYS_NS::CISYScommander::CResult*) const () from ./libISYSshared.so
#22 0xf6104ff9 in bool ISYS_NS::CISYScommander::execute<char>(int, char**) () from ./libISYSshared.so
#23 0xf6101524 in ISYS_NS::CISYScommander::execute(int, char**) () from ./libISYSshared.so
#24 0x08054e88 in ?? ()
#25 0xf5a72637 in __libc_start_main (main=0x8054d40, argc=5, argv=0xffb76ed4, init=0x807ebd0, fini=0x807ebc0, rtld_fini=0xf7f04880 <_dl_fini>, stack_end=0xffb76ecc) at ../csu/libc-start.c:291
#26 0x080531b1 in ?? ()


gdb-peda$ context
[----------------------------------registers-----------------------------------]
EAX: 0xfff9de36 
EBX: 0x98b7000 
ECX: 0x9877500 (".microsoft.com/aml/2001/core\" xml:space=\"preserve\">\n\t<w:body>\n\t\t<w:tc>\n\t\t\t<w:t><![CDATA[]]></generic-file>]]></w:t>\n\t\t</w:tc>\n\t</w:body>\n</w:wordDocument>")
EDX: 0x9877558 ("]]></generic-file>]]></w:t>\n\t\t</w:tc>\n\t</w:body>\n</w:wordDocument>")
ESI: 0xffb747e4 --> 0xf7e9bda8 (:CMemoryStream+8>:      0xf602a180)
EDI: 0xffffffff 
EBP: 0xffb745d8 --> 0xffb74678 --> 0xffb74718 --> 0xffb747b8 --> 0xffb74818 --> 0xffb748a8 (--> ...)
ESP: 0xffb745a8 --> 0xf7ea834c --> 0x205a0e0 
EIP: 0xf5b80fff --> 0x3e70f66
EFLAGS: 0x10287 (CARRY PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xf5b80fed <__memcpy_sse2_unaligned+621>:    movdqu xmm5,XMMWORD PTR [ebx+eax*1+0x50]
   0xf5b80ff3 <__memcpy_sse2_unaligned+627>:    movdqu xmm6,XMMWORD PTR [ebx+eax*1+0x60]
   0xf5b80ff9 <__memcpy_sse2_unaligned+633>:    movdqu xmm7,XMMWORD PTR [ebx+eax*1+0x70]
=> 0xf5b80fff <__memcpy_sse2_unaligned+639>:    movntdq XMMWORD PTR [ebx],xmm0
   0xf5b81003 <__memcpy_sse2_unaligned+643>:    movntdq XMMWORD PTR [ebx+0x10],xmm1
   0xf5b81008 <__memcpy_sse2_unaligned+648>:    movntdq XMMWORD PTR [ebx+0x20],xmm2
   0xf5b8100d <__memcpy_sse2_unaligned+653>:    movntdq XMMWORD PTR [ebx+0x30],xmm3
   0xf5b81012 <__memcpy_sse2_unaligned+658>:    movntdq XMMWORD PTR [ebx+0x40],xmm4
[------------------------------------stack-------------------------------------]
0000| 0xffb745a8 --> 0xf7ea834c --> 0x205a0e0 
0004| 0xffb745ac --> 0xf6028fef (:CMemoryStream::Write(void const*, unsigned int)+63>:  0x89f0458b)
0008| 0xffb745b0 --> 0x9877558 ("]]></generic-file>]]></w:t>\n\t\t</w:tc>\n\t</w:body>\n</w:wordDocument>")
0012| 0xffb745b4 --> 0x981538e ("]]></generic-file>]]></w:t>\n\t\t</w:tc>\n\t</w:body>\n</w:wordDocument>")
0016| 0xffb745b8 --> 0xffffffff 
0020| 0xffb745bc --> 0xffb74620 --> 0xf5df806c (:string::_Rep::_S_empty_rep_storage+12>:        0x00000000)
0024| 0xffb745c0 --> 0xf63b9287 ("<![CDATA[")
0028| 0xffb745c4 --> 0xf63b9290 --> 0x3e5d5d00 ('')
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
gdb-peda$ 

As we can see, an out of bounds write appeared during a memcpy operation causing access violation. Stepping back we see that the memcpy function was called with the following parameters:

[-------------------------------------code-------------------------------------]
   0xf6028fe5 <ISYS_NS::CMemoryStream::Write(void const*, unsigned int)+53>:    mov    edx,DWORD PTR [ebp+0xc]
   0xf6028fe8 <ISYS_NS::CMemoryStream::Write(void const*, unsigned int)+56>:    push   edx
   0xf6028fe9 <ISYS_NS::CMemoryStream::Write(void const*, unsigned int)+57>:    push   eax
=> 0xf6028fea <ISYS_NS::CMemoryStream::Write(void const*, unsigned int)+58>:    call   0xf5fc77ec <memcpy@plt>
   0xf6028fef <ISYS_NS::CMemoryStream::Write(void const*, unsigned int)+63>:    mov    eax,DWORD PTR [ebp-0x10]
   0xf6028ff2 <ISYS_NS::CMemoryStream::Write(void const*, unsigned int)+66>:    mov    DWORD PTR [esi+0xc],eax
   0xf6028ff5 <ISYS_NS::CMemoryStream::Write(void const*, unsigned int)+69>:    add    esp,0x10
   0xf6028ff8 <ISYS_NS::CMemoryStream::Write(void const*, unsigned int)+72>:    mov    eax,edi
Guessed arguments:
arg[0]: 0x9877558 (""...)
arg[1]: 0x981538e ("]]>...")
arg[2]: 0xffffffff 

So the size parameter is set to 0xffffffff ( -1 ) which explains why the memcpy operation ended up with an access violation. Why does the size parameter have that value? Tracking code execution back, we end up in the place where it is calculated:

Line 1  ISYS_NS::XML::CXMLDocumentImpl *__cdecl ISYS_NS::XML::CXMLDocumentImpl::load(ISYS_NS::XML::CXMLDocumentImpl *this)
Line 2  {
Line 3      (...)
Line 4      if ( *CDATAElement != '!' )
Line 5        goto LABEL_17;
Line 6      v2 = CDATAElement + 1;
Line 7      v9 = CDATAElement[1];
Line 8      if ( v9 == '[' )
Line 9      {
Line 10       if ( CDATAElement[2] == 'C'
Line 11         && CDATAElement[3] == 'D'
Line 12         && CDATAElement[4] == 'A'
Line 13         && CDATAElement[5] == 'T'
Line 14         && CDATAElement[6] == 'A'
Line 15         && CDATAElement[7] == '[' )
Line 16       {
Line 17         CDATAElementTextBeg = CDATAElement + 8;
Line 18         v48 = (ISYS_NS::XML::XMLNode *)ISYS_NS::XML::CXMLDocumentImpl::addNode(this, &byte_F64729AE, 0, 3, v45);
Line 19         v26 = CDATAElement[8];
Line 20         if ( !v26 )
Line 21         {
Line 22           v28 = CDATAElement + 8;
Line 23           v39 = 0;
Line 24 LABEL_91:
Line 25           ISYS_NS::XML::CXMLDocumentImpl::setTextContent(this, v48, CDATAElementTextBeg, v39, 0);
Line 26           goto LABEL_87;
Line 27         }
Line 28         CDATAElementTextEnd = CDATAElement + 8;
Line 29         while ( 2 )
Line 30         {
Line 31           if ( v26 == ']' )
Line 32           {
Line 33             v28 = CDATAElementTextEnd + 1;
Line 34             if ( CDATAElementTextEnd[1] != ']' )
Line 35               goto LABEL_49;
Line 36             if ( CDATAElementTextEnd[2] == '>' )
Line 37             {
Line 38               ISYS_NS::XML::CXMLDocumentImpl::setTextContent(
Line 39                 this,
Line 40                 v48,
Line 41                 CDATAElementTextBeg,
Line 42                 CDATAElementTextEnd - 1 - CDATAElementTextBeg,
Line 43                 0);
Line 44               v28 = CDATAElementTextEnd + 2;
Line 45 LABEL_87:
Line 46               v45 = (ISYS_NS::XML::XMLNode *)*((_DWORD *)v48 + 1);
Line 47               v2 = v28 + 1;
Line 48               goto LABEL_9;
Line 49             }
Line 50           }
Line 51           else
Line 52           {
Line 53             v28 = CDATAElementTextEnd + 1;
Line 54 LABEL_49:
Line 55             v26 = *v28;
Line 56             if ( !*v28 )
Line 57             {
Line 58               v39 = v28 - CDATAElementTextBeg;
Line 59               goto LABEL_91;
Line 60             }
Line 61           }
Line 62           CDATAElementTextEnd = v28;
Line 63           continue;
Line 64         }
Line 65       }

The memcpy size parameter value is calculated at line 43 which is an argument for the ISYS_NS::XML::CXMLDocumentImpl::setTextContent function call. Generally speaking, this fragment of code is responsible for finding the CDATA section in an XML document and measuring the text length that this section contains. In our example the CDATA section does not contain any text, so the calculations made at line 43 where:

CDATAElementTextBeg == CDATAElementTextEnd

will end up with a value equal -1. Later, as we saw above, so huge unsigned value is used in the memcpy operation leads to heap corruption and which an attacker could potentially leverage to gain remote code execution.

Crash Information

File type: Microsoft Word (25); Capabilities: 3 - malformed_doc.xml
==85982== Invalid read of size 2
==85982==    at 0x4030F1C: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==85982==    by 0x4221FEE: ISYS_NS::CMemoryStream::Write(void const*, unsigned int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x41DCC74: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x41D8814: ISYS_NS::XML::XMLNode::xml(std::string&) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x4343E9D: ISYS_NS::CMSWord2003XMLFilesBuilder::ParagraphOrTable(ISYS_NS::XML::XMLNode*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x433A4BF: ISYS_NS::CMSWord2003XML::needFileList() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x433A6A8: ISYS_NS::CMSWord2003XML::CMSWord2003XML(ISYS_NS::CStream*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x7186ECB: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982==    by 0x7187EF4: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982==    by 0x731720E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982==  Address 0x6b3e846 is 510 bytes inside a block of size 511 alloc'd
==85982==    at 0x402C6BC: operator new(unsigned int) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==85982==    by 0x61B9D45: std::string::_Rep::_S_create(unsigned int, unsigned int, std::allocator<char> const&) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.21)
==85982==    by 0x61BAF18: std::string::_Rep::_M_clone(std::allocator<char> const&, unsigned int) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.21)
==85982==    by 0x61BAFD9: std::string::reserve(unsigned int) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.21)
==85982==    by 0x61BB48B: std::string::append(unsigned int, char) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.21)
==85982==    by 0x61BB569: std::string::resize(unsigned int, char) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.21)
==85982==    by 0x41DB027: ISYS_NS::XML::CXMLDocument::load(ISYS_NS::CStream*, ISYS_NS::XML::XML_ENCODING) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x43391B9: ISYS_NS::CMSOfficeXML::CMSOfficeXML(ISYS_NS::CStream*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x433A661: ISYS_NS::CMSWord2003XML::CMSWord2003XML(ISYS_NS::CStream*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x7186ECB: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982==    by 0x7187EF4: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982==    by 0x731720E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982== 
==85982== Invalid read of size 2
==85982==    at 0x4030F10: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==85982==    by 0x4221FEE: ISYS_NS::CMemoryStream::Write(void const*, unsigned int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x41DCC74: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x41D8814: ISYS_NS::XML::XMLNode::xml(std::string&) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x4343E9D: ISYS_NS::CMSWord2003XMLFilesBuilder::ParagraphOrTable(ISYS_NS::XML::XMLNode*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x433A4BF: ISYS_NS::CMSWord2003XML::needFileList() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x433A6A8: ISYS_NS::CMSWord2003XML::CMSWord2003XML(ISYS_NS::CStream*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x7186ECB: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982==    by 0x7187EF4: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982==    by 0x731720E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982==  Address 0x6b3e848 is 1 bytes after a block of size 511 alloc'd
==85982==    at 0x402C6BC: operator new(unsigned int) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==85982==    by 0x61B9D45: std::string::_Rep::_S_create(unsigned int, unsigned int, std::allocator<char> const&) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.21)
==85982==    by 0x61BAF18: std::string::_Rep::_M_clone(std::allocator<char> const&, unsigned int) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.21)
==85982==    by 0x61BAFD9: std::string::reserve(unsigned int) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.21)
==85982==    by 0x61BB48B: std::string::append(unsigned int, char) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.21)
==85982==    by 0x61BB569: std::string::resize(unsigned int, char) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.21)
==85982==    by 0x41DB027: ISYS_NS::XML::CXMLDocument::load(ISYS_NS::CStream*, ISYS_NS::XML::XML_ENCODING) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x43391B9: ISYS_NS::CMSOfficeXML::CMSOfficeXML(ISYS_NS::CStream*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x433A661: ISYS_NS::CMSWord2003XML::CMSWord2003XML(ISYS_NS::CStream*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x7186ECB: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982==    by 0x7187EF4: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982==    by 0x731720E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982== 
==85982== Invalid write of size 2
==85982==    at 0x4030F13: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==85982==    by 0x4221FEE: ISYS_NS::CMemoryStream::Write(void const*, unsigned int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x41DCC74: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x41D8814: ISYS_NS::XML::XMLNode::xml(std::string&) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x4343E9D: ISYS_NS::CMSWord2003XMLFilesBuilder::ParagraphOrTable(ISYS_NS::XML::XMLNode*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x433A4BF: ISYS_NS::CMSWord2003XML::needFileList() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x433A6A8: ISYS_NS::CMSWord2003XML::CMSWord2003XML(ISYS_NS::CStream*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x7186ECB: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982==    by 0x7187EF4: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982==    by 0x731720E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982==  Address 0x6b42980 is 0 bytes after a block of size 8,192 alloc'd
==85982==    at 0x402C17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==85982==    by 0x4221DAB: ISYS_NS::CMemoryStream::_malloc(unsigned int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x4221E0F: ISYS_NS::CMemoryStream::Realloc(unsigned int*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x4221ED6: ISYS_NS::CMemoryStream::SetCapacity(unsigned int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x422205C: ISYS_NS::CMemoryStream::Write(void const*, unsigned int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x41DC7AC: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x41D8814: ISYS_NS::XML::XMLNode::xml(std::string&) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x4343E9D: ISYS_NS::CMSWord2003XMLFilesBuilder::ParagraphOrTable(ISYS_NS::XML::XMLNode*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x433A4BF: ISYS_NS::CMSWord2003XML::needFileList() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x433A6A8: ISYS_NS::CMSWord2003XML::CMSWord2003XML(ISYS_NS::CStream*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x7186ECB: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982==    by 0x7187EF4: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982== 
==85982== 
==85982== Process terminating with default action of signal 11 (SIGSEGV)
==85982==  Bad permissions for mapped region at address 0x7140000
==85982==    at 0x4030F13: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==85982==    by 0x4221FEE: ISYS_NS::CMemoryStream::Write(void const*, unsigned int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x41DCC74: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x41D8814: ISYS_NS::XML::XMLNode::xml(std::string&) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x4343E9D: ISYS_NS::CMSWord2003XMLFilesBuilder::ParagraphOrTable(ISYS_NS::XML::XMLNode*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x433A4BF: ISYS_NS::CMSWord2003XML::needFileList() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x433A6A8: ISYS_NS::CMSWord2003XML::CMSWord2003XML(ISYS_NS::CStream*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x7186ECB: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982==    by 0x7187EF4: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982==    by 0x731720E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982== Invalid read of size 4
==85982==    at 0x63D2015: tdestroy_recurse (tsearch.c:639)
==85982==    by 0x63D202D: tdestroy_recurse (tsearch.c:640)
==85982==    by 0x6431977: free_mem (in /lib/i386-linux-gnu/libc-2.23.so)
==85982==    by 0x6431B09: __libc_freeres (in /lib/i386-linux-gnu/libc-2.23.so)
==85982==    by 0x4026506: _vgnU_freeres (in /usr/lib/valgrind/vgpreload_core-x86-linux.so)
==85982==    by 0xFFFFFFFB: ???
==85982==    by 0x4221FEE: ISYS_NS::CMemoryStream::Write(void const*, unsigned int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x41DCC74: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x41D8814: ISYS_NS::XML::XMLNode::xml(std::string&) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x4343E9D: ISYS_NS::CMSWord2003XMLFilesBuilder::ParagraphOrTable(ISYS_NS::XML::XMLNode*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==  Address 0x1b54 is not stack'd, malloc'd or (recently) free'd
==85982== 
==85982== 
==85982== Process terminating with default action of signal 11 (SIGSEGV)
==85982==  Access not within mapped region at address 0x1B54
==85982==    at 0x63D2015: tdestroy_recurse (tsearch.c:639)
==85982==    by 0x63D202D: tdestroy_recurse (tsearch.c:640)
==85982==    by 0x6431977: free_mem (in /lib/i386-linux-gnu/libc-2.23.so)
==85982==    by 0x6431B09: __libc_freeres (in /lib/i386-linux-gnu/libc-2.23.so)
==85982==    by 0x4026506: _vgnU_freeres (in /usr/lib/valgrind/vgpreload_core-x86-linux.so)
==85982==    by 0xFFFFFFFB: ???
==85982==    by 0x4221FEE: ISYS_NS::CMemoryStream::Write(void const*, unsigned int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x41DCC74: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x41D8814: ISYS_NS::XML::XMLNode::xml(std::string&) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==    by 0x4343E9D: ISYS_NS::CMSWord2003XMLFilesBuilder::ParagraphOrTable(ISYS_NS::XML::XMLNode*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982==  If you believe this happened as a result of a stack
==85982==  overflow in your program's main thread (unlikely but
==85982==  possible), you can try to increase the size of the
==85982==  main thread stack using the --main-stacksize= flag.
==85982==  The main thread stack size used in this run was 8388608.
==85982== 
==85982== HEAP SUMMARY:
==85982==     in use at exit: 788,001 bytes in 10,974 blocks
==85982==   total heap usage: 57,614 allocs, 46,640 frees, 22,967,606 bytes allocated
==85982== 
==85982== LEAK SUMMARY:
==85982==    definitely lost: 195,319 bytes in 3,959 blocks
==85982==    indirectly lost: 215,017 bytes in 5,663 blocks
==85982==      possibly lost: 44,931 bytes in 657 blocks
==85982==    still reachable: 332,734 bytes in 695 blocks
==85982==                       of which reachable via heuristic:
==85982==                         stdstring          : 8,026 bytes in 399 blocks
==85982==         suppressed: 0 bytes in 0 blocks
==85982== Rerun with --leak-check=full to see details of leaked memory
==85982== 
==85982== For counts of detected and suppressed errors, rerun with: -v
==85982== ERROR SUMMARY: 9016847 errors from 4 contexts (suppressed: 0 from 0)

Timeline

2018-02-27 - Vendor Disclosure
2018-03-22 - Vendor patched
2018-04-26 - Public Release

Credit

Discovered by Marcin 'Icewall' Noga of Cisco Talos.