Talos Vulnerability Report

TALOS-2018-0596

Antenna House Office Server Document Converter OLEread Code Execuction Vulnerability

July 10, 2018
CVE Number

CVE-2018-3929

Summary

An exploitable heap corruption exists in the PowerPoint document conversion functionality of the Antenna House Office Server Document Converter version V6.1 Pro MR2 for Linux64 (6,1,2018,0312). A crafted PowerPoint (PPT) document can lead to heap corruption, resulting in remote code execution.

Tested Versions

Office Server Document Converter version V6.1 Pro MR2 for Linux64 (6,1,2018,0312)

Product URLs

https://www.rainbowpdf.com/batch-office-server-document-converter/

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-787: Out-of-bounds Write

Details

This vulnerability is present in the Antenna House Office Server Document Converter, which is used as a document converter in many server enterprise solutions.
It can convert common formats, such as Microsoft's document formats into more usable and easily viewed formats. There is a vulnerability in the conversion process of a PowerPoint (PPT) to PDF, JPEG and several other formats. A specially crafted PowerPoint (PPT) file can lead to heap corruption and remote code execution. Let’s investigate this vulnerability. After we attempt to convert a malicious PowerPoint using the OSDC library, we see the following state:

icewall@ubuntu:/usr/OfficeServerDocumentConverter$ valgrind bin/SBCCmd -d ./crashes/3ec9a0fd9000e26b2479d49afdb8ed68 -p @PDF -o /tmp/x.pdf
==37421== Memcheck, a memory error detector
==37421== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==37421== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==37421== Command: bin/SBCCmd -d ./crashes/3ec9a0fd9000e26b2479d49afdb8ed68 -p @PDF -o /tmp/x.pdf
==37421== 
SBCCmd : Office Server Document Converter V6.1 Pro MR2 for Linux64 (6,1,2018,0312) 
         Copyright (c) 1999-2018 Antenna House, Inc.

==37421== Invalid write of size 1
==37421==    at 0x4C3275B: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==37421==    by 0xF8AFFAA: std::basic_streambuf<char, std::char_traits<char> >::xsgetn(char*, long) (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==37421==    by 0xF87CC7D: std::basic_filebuf<char, std::char_traits<char> >::xsgetn(char*, long) (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==37421==    by 0xF8898EA: std::istream::read(char*, long) (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==37421==    by 0x5EDCBAA: OleCompNS::AHJzStreamIOobj::Read(char*, int) const (in /usr/OfficeServerDocumentConverter/lib/libDfvGraphic.so.6.1)
==37421==    by 0x5ED6674: OleCompNS::AHOleCompStream::OLEread(unsigned char*, unsigned int) (in /usr/OfficeServerDocumentConverter/lib/libDfvGraphic.so.6.1)
==37421==    by 0x90D9FEF: DfvCommon::MSORecParseContext::readRecordData(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvCommon.so.6.1)
==37421==    by 0xA9341C7: DfvPptReaderNS::SlidePersistAtom::parse(DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==37421==    by 0xA939924: DfvPptReaderNS::SlideStub::parseSlidePersist(DfvCommon::MSORecordHeader&, DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==37421==    by 0xA9476D2: DfvPptReaderNS::PPTDocument::parseSlideList(DfvCommon::MSORecordHeader&, DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==37421==    by 0xA9489BD: DfvPptReaderNS::PPTDocument::parseDocument() (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==37421==    by 0xA948DC7: DfvPptReaderNS::PPTDocument::InitSub() (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==37421==  Address 0x118b93be is 0 bytes after a block of size 110 alloc'd
==37421==    at 0x4C2E80F: operator new[](unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==37421==    by 0x90D9F39: DfvCommon::MSORecParseContext::allocBuffer(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvCommon.so.6.1)
==37421==    by 0x90D9FD0: DfvCommon::MSORecParseContext::readRecordData(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvCommon.so.6.1)
==37421==    by 0xA942E6E: DfvPptReaderNS::TxMasterStyleAtom::parse(DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==37421==    by 0xA942DBA: DfvPptReaderNS::PPTDocument::parseEnvironment(DfvCommon::MSORecordHeader&, DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==37421==    by 0xA9488E5: DfvPptReaderNS::PPTDocument::parseDocument() (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==37421==    by 0xA948DC7: DfvPptReaderNS::PPTDocument::InitSub() (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==37421==    by 0xA94910F: DfvPptReaderNS::PPTDocument::Init(std::istream*, icu_52::UnicodeString const&) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==37421==    by 0xA91C312: DfvPptReaderNS::DfvPptReader::initDocument(std::istream*, int, int) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==37421==    by 0x6856D98: DfvInterface::DfvIfObject::getTreeGenerator(OleCompNS::AHOleCompFile::OLEDOCUMENT_TYPE, std::istream*, icu_52::UnicodeString const&, AHCommonNS::AHTempFile&) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==37421==    by 0x686008A: DfvInterface::DfvIfObject::executeV4(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==37421==    by 0x686196F: DfvInterface::DfvIfObject::execute(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==37421== 

As we can see, a heap-based buffer overflow appeared during the memcpy operation.

Looking at call stacks, we can see that the overflowed buffer has been allocated during operations related with the TxMasterStyleAtom record. Further investigation revealed that 0x110 is indeed the TxMasterStyleAtom record size. Next, let's debug the OleCompNS::AHOleCompStream::OLEread method during parsing of the SlidePersistAtom record. Pseudo code for the function looks as follows:

Line 1  __int64 __fastcall OleCompNS::AHOleCompStream::OLEread(struct_this *this, BYTE *buffer, unsigned int _amount)
Line 2  {
Line 3 
Line 6    seek_pos = this->current_record_offset;
Line 7 
Line 8    if ( _amount > this->streamSize) )
Line 9      _amount = this->streamSize - seek_pos;
Line 10   if ( this->dword38 )
Line 11     v11 = v10->qword68;
Line 12   else
Line 13     v11 = v10->qword60;
Line 14   toRead = v11 - seek_pos % v11;
Line 15   readedTotal = 0;
Line 16   currentOffset = 0;
Line 17   if ( _amount )
Line 18   {
Line 19     while ( OleCompNS::AHOleCompStream::OLESeek( seek_pos, 0LL) >= 0 )
Line 20     {
Line 21       if ( toRead > _amount )
Line 22         toRead = _amount;
Line 23       readed = OleCompNS::AHJzStreamIOobj::Read( buffer + currentOffset, toRead);
Line 24       if ( readed != toRead )
Line 25         break;
Line 26       readedTotal += readed;
Line 27       currentOffset += readed;
Line 28       _amount -= readed;
Line 29       seek_pos = this->current_record_offset + readed;
Line 30       v16 = this->dword38 == 0;
Line 31       v17 = (struct_v17 *)this->qword8;
Line 32       this->current_record_offset = seek_pos;
Line 33       if ( v16 )
Line 34       {
Line 35         toRead = v17->dword60;
Line 36         if ( !_amount )
Line 37           return readedTotal;
Line 38       }
Line 39       else
Line 40       {
Line 41         toRead = v17->dword68;
Line 42         if ( !_amount )
Line 43           return readedTotal;
Line 44       }
Line 45     }
Line 46   }
Line 47   return readedTotal;
Line 48 }

The _amount argument is set to the SlidePersistAtom record size. In our case, this is 0xff000014. StreamSize is the size of Compound File Directory Entry, in this case PowerPoint Document with value 0xF97. As we can see at line 8-9 if _amount is bigger than streamSize, the _amount argument is set with result of the subtraction of streamSize and seek_pos which equals the current record offset. Next, inside the while loop, data is read from a file into the buffer in the amount equal to the value of the _amount argument. A heap-based buffer overflow can occur in two scenarios: - When the _amount argument is bigger than previously allocated space for the buffer, but smaller than streamSize and - When _amount is bigger than streamSize, but the result of the subtraction of streamSize and seek_pos (the current record offset) is bigger than previously allocated buffer. Both critical scenarios lead to heap memory corruption and give an attacker a possibility to remotely execute arbitrary code.

Crash Information

icewall@ubuntu:/usr/OfficeServerDocumentConverter$ valgrind bin/SBCCmd -d ./crashes/3ec9a0fd9000e26b2479d49afdb8ed68 -p @PDF -o /tmp/test.pdf
==38054== Memcheck, a memory error detector
==38054== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==38054== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==38054== Command: bin/SBCCmd -d ./crashes/3ec9a0fd9000e26b2479d49afdb8ed68 -p @PDF -o /tmp/test.pdf
==38054== 
SBCCmd : Office Server Document Converter V6.1 Pro MR2 for Linux64 (6,1,2018,0312) 
         Copyright (c) 1999-2018 Antenna House, Inc.

 ---------------------------------------
 This is an EVALUATION version.
 Prohibits the use of evaluation version
 for the real business activity.
 Expire Date : Jun 06, 2018
 ---------------------------------------

==38054== Invalid write of size 1
==38054==    at 0x4C3275B: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==38054==    by 0xF8AFFAA: std::basic_streambuf<char, std::char_traits<char> >::xsgetn(char*, long) (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==38054==    by 0xF87CC7D: std::basic_filebuf<char, std::char_traits<char> >::xsgetn(char*, long) (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==38054==    by 0xF8898EA: std::istream::read(char*, long) (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==38054==    by 0x5EDCBAA: OleCompNS::AHJzStreamIOobj::Read(char*, int) const (in /usr/OfficeServerDocumentConverter/lib/libDfvGraphic.so.6.1)
==38054==    by 0x5ED6674: OleCompNS::AHOleCompStream::OLEread(unsigned char*, unsigned int) (in /usr/OfficeServerDocumentConverter/lib/libDfvGraphic.so.6.1)
==38054==    by 0x90D9FEF: DfvCommon::MSORecParseContext::readRecordData(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvCommon.so.6.1)
==38054==    by 0xA9341C7: DfvPptReaderNS::SlidePersistAtom::parse(DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054==    by 0xA939924: DfvPptReaderNS::SlideStub::parseSlidePersist(DfvCommon::MSORecordHeader&, DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054==    by 0xA9476D2: DfvPptReaderNS::PPTDocument::parseSlideList(DfvCommon::MSORecordHeader&, DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054==    by 0xA9489BD: DfvPptReaderNS::PPTDocument::parseDocument() (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054==    by 0xA948DC7: DfvPptReaderNS::PPTDocument::InitSub() (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054==  Address 0x118b93de is 0 bytes after a block of size 110 alloc'd
==38054==    at 0x4C2E80F: operator new[](unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==38054==    by 0x90D9F39: DfvCommon::MSORecParseContext::allocBuffer(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvCommon.so.6.1)
==38054==    by 0x90D9FD0: DfvCommon::MSORecParseContext::readRecordData(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvCommon.so.6.1)
==38054==    by 0xA942E6E: DfvPptReaderNS::TxMasterStyleAtom::parse(DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054==    by 0xA942DBA: DfvPptReaderNS::PPTDocument::parseEnvironment(DfvCommon::MSORecordHeader&, DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054==    by 0xA9488E5: DfvPptReaderNS::PPTDocument::parseDocument() (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054==    by 0xA948DC7: DfvPptReaderNS::PPTDocument::InitSub() (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054==    by 0xA94910F: DfvPptReaderNS::PPTDocument::Init(std::istream*, icu_52::UnicodeString const&) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054==    by 0xA91C312: DfvPptReaderNS::DfvPptReader::initDocument(std::istream*, int, int) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054==    by 0x6856D98: DfvInterface::DfvIfObject::getTreeGenerator(OleCompNS::AHOleCompFile::OLEDOCUMENT_TYPE, std::istream*, icu_52::UnicodeString const&, AHCommonNS::AHTempFile&) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==38054==    by 0x686008A: DfvInterface::DfvIfObject::executeV4(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==38054==    by 0x686196F: DfvInterface::DfvIfObject::execute(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==38054== 
==38054== Invalid write of size 1
==38054==    at 0xF8AFFD2: std::basic_streambuf<char, std::char_traits<char> >::xsgetn(char*, long) (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==38054==    by 0xF87CC7D: std::basic_filebuf<char, std::char_traits<char> >::xsgetn(char*, long) (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==38054==    by 0xF8898EA: std::istream::read(char*, long) (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==38054==    by 0x5EDCBAA: OleCompNS::AHJzStreamIOobj::Read(char*, int) const (in /usr/OfficeServerDocumentConverter/lib/libDfvGraphic.so.6.1)
==38054==    by 0x5ED6674: OleCompNS::AHOleCompStream::OLEread(unsigned char*, unsigned int) (in /usr/OfficeServerDocumentConverter/lib/libDfvGraphic.so.6.1)
==38054==    by 0x90D9FEF: DfvCommon::MSORecParseContext::readRecordData(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvCommon.so.6.1)
==38054==    by 0xA9341C7: DfvPptReaderNS::SlidePersistAtom::parse(DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054==    by 0xA939924: DfvPptReaderNS::SlideStub::parseSlidePersist(DfvCommon::MSORecordHeader&, DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054==    by 0xA9476D2: DfvPptReaderNS::PPTDocument::parseSlideList(DfvCommon::MSORecordHeader&, DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054==    by 0xA9489BD: DfvPptReaderNS::PPTDocument::parseDocument() (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054==    by 0xA948DC7: DfvPptReaderNS::PPTDocument::InitSub() (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054==    by 0xA94910F: DfvPptReaderNS::PPTDocument::Init(std::istream*, icu_52::UnicodeString const&) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054==  Address 0x118b93eb is 13 bytes after a block of size 110 alloc'd
==38054==    at 0x4C2E80F: operator new[](unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==38054==    by 0x90D9F39: DfvCommon::MSORecParseContext::allocBuffer(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvCommon.so.6.1)
==38054==    by 0x90D9FD0: DfvCommon::MSORecParseContext::readRecordData(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvCommon.so.6.1)
==38054==    by 0xA942E6E: DfvPptReaderNS::TxMasterStyleAtom::parse(DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054==    by 0xA942DBA: DfvPptReaderNS::PPTDocument::parseEnvironment(DfvCommon::MSORecordHeader&, DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054==    by 0xA9488E5: DfvPptReaderNS::PPTDocument::parseDocument() (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054==    by 0xA948DC7: DfvPptReaderNS::PPTDocument::InitSub() (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054==    by 0xA94910F: DfvPptReaderNS::PPTDocument::Init(std::istream*, icu_52::UnicodeString const&) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054==    by 0xA91C312: DfvPptReaderNS::DfvPptReader::initDocument(std::istream*, int, int) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054==    by 0x6856D98: DfvInterface::DfvIfObject::getTreeGenerator(OleCompNS::AHOleCompFile::OLEDOCUMENT_TYPE, std::istream*, icu_52::UnicodeString const&, AHCommonNS::AHTempFile&) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==38054==    by 0x686008A: DfvInterface::DfvIfObject::executeV4(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==38054==    by 0x686196F: DfvInterface::DfvIfObject::execute(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==38054== 
--38054-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) - exiting
--38054-- si_code=128;  Faulting address: 0x0;  sp: 0x802cade30

valgrind: the 'impossible' happened:
   Killed by fatal signal

host stacktrace:
==38054==    at 0x38091C12: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==38054==    by 0x38050E84: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==38054==    by 0x38051056: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==38054==    by 0x380D4F7B: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==38054==    by 0x380E3946: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)

sched status:
  running_tid=1

Thread 1: status = VgTs_Runnable (lwpid 38054)
==38054==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==38054==    by 0xF81E41F: __cxa_allocate_exception (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==38054==    by 0xA94A19E: DfvPptReaderNS::PPTError::throwError(unsigned short, icu_52::UnicodeString const&) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054==    by 0xA934206: DfvPptReaderNS::SlidePersistAtom::parse(DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054==    by 0xA939924: DfvPptReaderNS::SlideStub::parseSlidePersist(DfvCommon::MSORecordHeader&, DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054==    by 0xA9476D2: DfvPptReaderNS::PPTDocument::parseSlideList(DfvCommon::MSORecordHeader&, DfvCommon::MSORecParseContext*) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054==    by 0xA9489BD: DfvPptReaderNS::PPTDocument::parseDocument() (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054==    by 0xA948DC7: DfvPptReaderNS::PPTDocument::InitSub() (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054==    by 0xA94910F: DfvPptReaderNS::PPTDocument::Init(std::istream*, icu_52::UnicodeString const&) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054==    by 0xA91C312: DfvPptReaderNS::DfvPptReader::initDocument(std::istream*, int, int) (in /usr/OfficeServerDocumentConverter/lib/libDfvPptReader.so.6.1)
==38054==    by 0x6856D98: DfvInterface::DfvIfObject::getTreeGenerator(OleCompNS::AHOleCompFile::OLEDOCUMENT_TYPE, std::istream*, icu_52::UnicodeString const&, AHCommonNS::AHTempFile&) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==38054==    by 0x686008A: DfvInterface::DfvIfObject::executeV4(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==38054==    by 0x686196F: DfvInterface::DfvIfObject::execute(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==38054==    by 0x68620BB: DfvInterface::DfvIfObject::execute(bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==38054==    by 0x40DBF4: XfoCommand::XSLCmd::execCommand() (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==38054==    by 0x408F83: main (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)

Timeline

2018-05-21 - Vendor Disclosure
2018-07-10 - Public Release

Credit

Discovered by Marcin 'Icewall' Noga of Cisco Talos.