Talos Vulnerability Report

TALOS-2018-0597

Antenna House Office Server Document Converter vbgetfp code execution vulnerability

July 10, 2018
CVE Number

CVE-2018-3930

Summary

An exploitable out-of-bounds write exists in the Microsoft Word document conversion functionality of the Antenna House Office Server Document Converter version V6.1 Pro MR2 for Linux64 (6,1,2018,0312). A crafted Microsoft Word (DOC) document can lead to an out-of-bounds write, resulting in remote code execution. This vulnerability occurs in the vbgetfp method.

Tested Versions

Office Server Document Converter version V6.1 Pro MR2 for Linux64 (6,1,2018,0312)

Product URLs

https://www.rainbowpdf.com/batch-office-server-document-converter/

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-787: Out-of-bounds Write

Details

This vulnerability is present in the Antenna House Office Server Document Converter which is used as a document converter in many server enterprise solutions.
It can convert common formats such as Microsoft's document formats into more usable and easily viewed formats. There is a vulnerability in the conversion process of a Microsoft Word (DOC) to PDF, JPEG and several other formats. A specially crafted Microsoft Word (DOC) file can lead to heap corruption and remote code execution. Let’s investigate this vulnerability. After we attempt to convert a malicious Microsoft Word (doc) using the OSDC library, we see the following state:

icewall@ubuntu:/usr/OfficeServerDocumentConverter$ valgrind bin/SBCCmd -p @PDF -o /tmp/test.pdf -d ./crashes/009be5a68df722560f16f9c86b73696b          
==51370== Memcheck, a memory error detector
==51370== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==51370== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==51370== Command: bin/SBCCmd -p @PDF -o /tmp/test.pdf -d ./crashes/009be5a68df722560f16f9c86b73696b
==51370== 
SBCCmd : Office Server Document Converter V6.1 Pro MR2 for Linux64 (6,1,2018,0312) 
         Copyright (c) 1999-2018 Antenna House, Inc.

 ---------------------------------------
 This is an EVALUATION version.
 Prohibits the use of evaluation version
 for the real business activity.
 Expire Date : Jun 06, 2018
 ---------------------------------------

==51370== Invalid write of size 8
==51370==    at 0xB4D3651: DfvDocReaderNS::DfvDocReader::vbgetfp(OleCompNS::AHOleCompStream*, int, int, unsigned short&, int&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB4F90AF: DfvDocReaderNS::DfvDocReader::getbt(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, DfvDocReaderNS::SubSectParam&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB5065D0: DfvDocReaderNS::DfvDocReader::wordtowml(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB506AF7: DfvDocReaderNS::DfvDocReader::convertCore(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB506BD5: DfvDocReaderNS::DfvDocReader::convert(std::istream*, icu_52::UnicodeString const&, int, bool, bool, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0x6856B10: DfvInterface::DfvIfObject::getTreeGenerator(OleCompNS::AHOleCompFile::OLEDOCUMENT_TYPE, std::istream*, icu_52::UnicodeString const&, AHCommonNS::AHTempFile&) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x686008A: DfvInterface::DfvIfObject::executeV4(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x686196F: DfvInterface::DfvIfObject::execute(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x68620BB: DfvInterface::DfvIfObject::execute(bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x40DBF4: XfoCommand::XSLCmd::execCommand() (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370==    by 0x408F83: main (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370==  Address 0x12588a80 is 0 bytes after a block of size 512 alloc'd
==51370==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==51370==    by 0xB4D3338: DfvDocReaderNS::DfvDocReader::vbgetfp(OleCompNS::AHOleCompStream*, int, int, unsigned short&, int&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB4F90AF: DfvDocReaderNS::DfvDocReader::getbt(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, DfvDocReaderNS::SubSectParam&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB5065D0: DfvDocReaderNS::DfvDocReader::wordtowml(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB506AF7: DfvDocReaderNS::DfvDocReader::convertCore(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB506BD5: DfvDocReaderNS::DfvDocReader::convert(std::istream*, icu_52::UnicodeString const&, int, bool, bool, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0x6856B10: DfvInterface::DfvIfObject::getTreeGenerator(OleCompNS::AHOleCompFile::OLEDOCUMENT_TYPE, std::istream*, icu_52::UnicodeString const&, AHCommonNS::AHTempFile&) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x686008A: DfvInterface::DfvIfObject::executeV4(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x686196F: DfvInterface::DfvIfObject::execute(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x68620BB: DfvInterface::DfvIfObject::execute(bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x40DBF4: XfoCommand::XSLCmd::execCommand() (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370==    by 0x408F83: main (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)

As we can see, an out-of-bounds write appeared during some memory operations inside the vbgetfp method.

Looking at the call stack, we can see that the out-of-bounds write appears in the same function that the overflowed buffer is allocated in. Let's take a look at pseudo code for the vbgetfp function:

Line 1      __int64 __fastcall DfvDocReaderNS::DfvDocReader::vbgetfp(DfvDocReaderNS::DfvDocReader *this, OleCompNS::AHOleCompStream *AHOleCompStream, int page_index, int a4, unsigned __int16 *a5, int *a6)
Line 2      {
Line 3  
Line 4        buffer = (unsigned __int8 *)malloc(0x200uLL);
Line 5        if ( buffer )
Line 6        {
Line 7          dstBuffer = (int *)malloc(0x200uLL);
Line 8          if ( dstBuffer )
Line 9          {
Line 10           if ( v8 == 1 )
Line 11             page_offset = DfvDocReaderNS::FKPPAGE::getPage(
Line 12                             (DfvDocReaderNS::DfvDocReader *)((char *)this + 688),
Line 13                             _page_index);
Line 14           else
Line 15             page_offset = DfvDocReaderNS::FKPPAGE::getPage(
Line 16                             (DfvDocReaderNS::DfvDocReader *)((char *)this + 736),
Line 17                             _page_index);
Line 18           if ( OleCompNS::AHOleCompStream::OLEseek( AHOleCompStream, (unsigned int)(page_offset << 9), 0LL) < 0 )
(...)
Line 24           v117 = OleCompNS::AHOleCompStream::OLEtell(AHOleCompStream);// 
Line 25           v13 = *(_QWORD *)AHOleCompStream;
Line 26           v121.m128i_i64[0] = (__int64)&v123;
Line 27           OleCompNS::AHOleCompStream::OLEread( AHOleCompStream, &v123,  512LL);
(...)
Line 31           qmemcpy(buffer, &v123, 0x200uLL);
Line 32           amountToCopy = buffer[511];
Line 33           v15 = amountToCopy + 1;
Line 34           v16 = 16 * (amountToCopy >> 4);
Line 35           if ( v16 && v15 > 0xF )
Line 36           {
Line 37             _buffer = (const __m128i *)(buffer + 1);
Line 38             _dstBuffer = dstBuffer;
Line 39             index = 0;
Line 40             do
Line 41             {
Line 42               v20 = _mm_loadu_si128(_buffer);
Line 43               ++index;
Line 44               _buffer += 4;
Line 45               _dstBuffer += 16;
Line 46               v21 = _mm_loadu_si128(_buffer - 3);
Line 47               v22 = _mm_loadu_si128(_buffer - 2);
Line 48               v23 = _mm_unpackhi_epi8(v20, v21);
Line 49               v24 = _mm_unpacklo_epi8(v20, v21);
Line 50               v25 = _mm_loadu_si128(_buffer - 1);
Line 51               v26 = _mm_unpackhi_epi8(v22, v25);
Line 52               v27 = v24;
Line 53               v28 = _mm_unpacklo_epi8(v22, v25);
Line 54               v29 = _mm_unpacklo_epi8(v24, v23);
Line 55               v30 = _mm_unpackhi_epi8(v27, v23);
Line 56                 (...)
Line 57               _mm_storeu_si128(
Line 58                 (__m128i *)_dstBuffer - 4,
Line 59                 _mm_or_si128(
Line 60                   _mm_or_si128(
Line 61                     _mm_or_si128(
Line 62                       _mm_slli_epi32(_mm_unpacklo_epi16(v68, (__m128i)0LL), 8u),
Line 63                       _mm_slli_epi32(_mm_unpacklo_epi16(v61, (__m128i)0LL), 0x10u)),
Line 64                     _mm_unpacklo_epi16(v90, (__m128i)0LL)),
Line 65                   _mm_slli_epi32(_mm_unpacklo_epi16(v75, (__m128i)0LL), 0x18u)));
Line 66               _mm_storeu_si128(
Line 67                 (__m128i *)_dstBuffer - 3,
Line 68                 _mm_or_si128(
Line 69                   _mm_or_si128(
Line 70                     _mm_or_si128(
Line 71                       _mm_slli_epi32(_mm_unpackhi_epi16(v68, (__m128i)0LL), 8u),
Line 72                       _mm_slli_epi32(_mm_unpackhi_epi16(v61, (__m128i)0LL), 0x10u)),
Line 73                     _mm_unpackhi_epi16(v90, (__m128i)0LL)),
Line 74                   _mm_slli_epi32(_mm_unpackhi_epi16(v75, (__m128i)0LL), 0x18u)));
Line 75               _mm_storeu_si128(
Line 76                 (__m128i *)_dstBuffer - 1,
Line 77                 _mm_or_si128(
Line 78                   _mm_or_si128(
Line 79                     _mm_or_si128(
Line 80                       _mm_slli_epi32(_mm_unpackhi_epi16(v72, (__m128i)0LL), 8u),
Line 81                       _mm_slli_epi32(_mm_unpackhi_epi16(v76, (__m128i)0LL), 0x10u)),
Line 82                     _mm_unpackhi_epi16(v89, (__m128i)0LL)),
Line 83                   _mm_slli_epi32(_mm_unpackhi_epi16(v79, (__m128i)0LL), 0x18u)));
Line 84               _mm_storeu_si128(
Line 85                 (__m128i *)_dstBuffer - 2,
Line 86                 _mm_or_si128(
Line 87                   _mm_or_si128(
Line 88                     _mm_or_si128(
Line 89                       _mm_slli_epi32(_mm_unpacklo_epi16(v72, (__m128i)0LL), 8u),
Line 90                       _mm_slli_epi32(_mm_unpacklo_epi16(v76, (__m128i)0LL), 0x10u)),
Line 91                     _mm_unpacklo_epi16(v89, (__m128i)0LL)),
Line 92                   _mm_slli_epi32(_mm_unpacklo_epi16(v79, (__m128i)0LL), 0x18u)));
Line 93             }
Line 94             while ( amountToCopy >> 4 > index );
Line 95           (...)
Line 96           v109 = 4 * v16;
Line 97           v110 = (signed __int64)&buffer[4 * v16 + 3];
Line 98           do
Line 99           {
Line 100            v111 = *(unsigned __int8 *)(v110 - 2);
Line 101            v112 = *(unsigned __int8 *)(v110 - 1);
Line 102            v113 = v16++;
Line 103            v110 += 4LL;
Line 104            v114 = (v112 << 16) | (v111 << 8);
Line 105            v115 = v109;
Line 106            v109 += 4;
Line 107            dstBuffer[v113] = (*(unsigned __int8 *)(v110 - 4) << 24) | buffer[v115] | v114;
Line 108          }
Line 109          while ( (signed int)amountToCopy >= v16 );
Line 110          goto LABEL_14;
Line 111        }
Line 112      return 0;
Line 113    }

As we can see, the code above allocates two buffers:

line 4 buffer
line 7 dstBuffer

with constant size 512 bytes (0x200). Next, 512 bytes are ready directly from the file and copied into buffer at lines 27 and 31. The last byte (line 21) is used as a limit for the amount of iterations for a loop where the data from a buffer is copied to dstBuffer buffer. During each iteration, 64 (0x40) bytes are copied. There is no check whether value of amountToCopy>>4 is bigger than 0x200 / 0x40 = 8 . For all values of amountToCopy in the range of 144-255, an out-of-bounds write will occur, causing memory corruption. As a result, the attacker has the possibility to corrupt memory, potentially resulting in arbitrary remote code execution.

Crash Information

==51370== Invalid read of size 16
==51370==    at 0xB4D356E: DfvDocReaderNS::DfvDocReader::vbgetfp(OleCompNS::AHOleCompStream*, int, int, unsigned short&, int&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB4F90AF: DfvDocReaderNS::DfvDocReader::getbt(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, DfvDocReaderNS::SubSectParam&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB5065D0: DfvDocReaderNS::DfvDocReader::wordtowml(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB506AF7: DfvDocReaderNS::DfvDocReader::convertCore(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB506BD5: DfvDocReaderNS::DfvDocReader::convert(std::istream*, icu_52::UnicodeString const&, int, bool, bool, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0x6856B10: DfvInterface::DfvIfObject::getTreeGenerator(OleCompNS::AHOleCompFile::OLEDOCUMENT_TYPE, std::istream*, icu_52::UnicodeString const&, AHCommonNS::AHTempFile&) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x686008A: DfvInterface::DfvIfObject::executeV4(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x686196F: DfvInterface::DfvIfObject::execute(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x68620BB: DfvInterface::DfvIfObject::execute(bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x40DBF4: XfoCommand::XSLCmd::execCommand() (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370==    by 0x408F83: main (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370==  Address 0x12588870 is 16 bytes before a block of size 512 alloc'd
==51370==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==51370==    by 0xB4D3338: DfvDocReaderNS::DfvDocReader::vbgetfp(OleCompNS::AHOleCompStream*, int, int, unsigned short&, int&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB4F90AF: DfvDocReaderNS::DfvDocReader::getbt(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, DfvDocReaderNS::SubSectParam&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB5065D0: DfvDocReaderNS::DfvDocReader::wordtowml(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB506AF7: DfvDocReaderNS::DfvDocReader::convertCore(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB506BD5: DfvDocReaderNS::DfvDocReader::convert(std::istream*, icu_52::UnicodeString const&, int, bool, bool, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0x6856B10: DfvInterface::DfvIfObject::getTreeGenerator(OleCompNS::AHOleCompFile::OLEDOCUMENT_TYPE, std::istream*, icu_52::UnicodeString const&, AHCommonNS::AHTempFile&) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x686008A: DfvInterface::DfvIfObject::executeV4(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x686196F: DfvInterface::DfvIfObject::execute(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x68620BB: DfvInterface::DfvIfObject::execute(bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x40DBF4: XfoCommand::XSLCmd::execCommand() (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370==    by 0x408F83: main (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370== 
==51370== Invalid write of size 8
==51370==    at 0xB4D3651: DfvDocReaderNS::DfvDocReader::vbgetfp(OleCompNS::AHOleCompStream*, int, int, unsigned short&, int&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB4F90AF: DfvDocReaderNS::DfvDocReader::getbt(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, DfvDocReaderNS::SubSectParam&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB5065D0: DfvDocReaderNS::DfvDocReader::wordtowml(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB506AF7: DfvDocReaderNS::DfvDocReader::convertCore(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB506BD5: DfvDocReaderNS::DfvDocReader::convert(std::istream*, icu_52::UnicodeString const&, int, bool, bool, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0x6856B10: DfvInterface::DfvIfObject::getTreeGenerator(OleCompNS::AHOleCompFile::OLEDOCUMENT_TYPE, std::istream*, icu_52::UnicodeString const&, AHCommonNS::AHTempFile&) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x686008A: DfvInterface::DfvIfObject::executeV4(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x686196F: DfvInterface::DfvIfObject::execute(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x68620BB: DfvInterface::DfvIfObject::execute(bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x40DBF4: XfoCommand::XSLCmd::execCommand() (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370==    by 0x408F83: main (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370==  Address 0x12588a80 is 0 bytes after a block of size 512 alloc'd
==51370==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==51370==    by 0xB4D3338: DfvDocReaderNS::DfvDocReader::vbgetfp(OleCompNS::AHOleCompStream*, int, int, unsigned short&, int&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB4F90AF: DfvDocReaderNS::DfvDocReader::getbt(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, DfvDocReaderNS::SubSectParam&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB5065D0: DfvDocReaderNS::DfvDocReader::wordtowml(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB506AF7: DfvDocReaderNS::DfvDocReader::convertCore(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB506BD5: DfvDocReaderNS::DfvDocReader::convert(std::istream*, icu_52::UnicodeString const&, int, bool, bool, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0x6856B10: DfvInterface::DfvIfObject::getTreeGenerator(OleCompNS::AHOleCompFile::OLEDOCUMENT_TYPE, std::istream*, icu_52::UnicodeString const&, AHCommonNS::AHTempFile&) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x686008A: DfvInterface::DfvIfObject::executeV4(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x686196F: DfvInterface::DfvIfObject::execute(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x68620BB: DfvInterface::DfvIfObject::execute(bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x40DBF4: XfoCommand::XSLCmd::execCommand() (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370==    by 0x408F83: main (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370== 
==51370== Invalid write of size 8
==51370==    at 0xB4D367A: DfvDocReaderNS::DfvDocReader::vbgetfp(OleCompNS::AHOleCompStream*, int, int, unsigned short&, int&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB4F90AF: DfvDocReaderNS::DfvDocReader::getbt(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, DfvDocReaderNS::SubSectParam&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB5065D0: DfvDocReaderNS::DfvDocReader::wordtowml(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB506AF7: DfvDocReaderNS::DfvDocReader::convertCore(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB506BD5: DfvDocReaderNS::DfvDocReader::convert(std::istream*, icu_52::UnicodeString const&, int, bool, bool, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0x6856B10: DfvInterface::DfvIfObject::getTreeGenerator(OleCompNS::AHOleCompFile::OLEDOCUMENT_TYPE, std::istream*, icu_52::UnicodeString const&, AHCommonNS::AHTempFile&) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x686008A: DfvInterface::DfvIfObject::executeV4(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x686196F: DfvInterface::DfvIfObject::execute(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x68620BB: DfvInterface::DfvIfObject::execute(bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x40DBF4: XfoCommand::XSLCmd::execCommand() (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370==    by 0x408F83: main (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370==  Address 0x12588a90 is 16 bytes after a block of size 512 alloc'd
==51370==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==51370==    by 0xB4D3338: DfvDocReaderNS::DfvDocReader::vbgetfp(OleCompNS::AHOleCompStream*, int, int, unsigned short&, int&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB4F90AF: DfvDocReaderNS::DfvDocReader::getbt(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, DfvDocReaderNS::SubSectParam&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB5065D0: DfvDocReaderNS::DfvDocReader::wordtowml(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB506AF7: DfvDocReaderNS::DfvDocReader::convertCore(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB506BD5: DfvDocReaderNS::DfvDocReader::convert(std::istream*, icu_52::UnicodeString const&, int, bool, bool, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0x6856B10: DfvInterface::DfvIfObject::getTreeGenerator(OleCompNS::AHOleCompFile::OLEDOCUMENT_TYPE, std::istream*, icu_52::UnicodeString const&, AHCommonNS::AHTempFile&) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x686008A: DfvInterface::DfvIfObject::executeV4(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x686196F: DfvInterface::DfvIfObject::execute(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x68620BB: DfvInterface::DfvIfObject::execute(bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x40DBF4: XfoCommand::XSLCmd::execCommand() (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370==    by 0x408F83: main (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370== 
==51370== Invalid write of size 8
==51370==    at 0xB4D36E0: DfvDocReaderNS::DfvDocReader::vbgetfp(OleCompNS::AHOleCompStream*, int, int, unsigned short&, int&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB4F90AF: DfvDocReaderNS::DfvDocReader::getbt(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, DfvDocReaderNS::SubSectParam&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB5065D0: DfvDocReaderNS::DfvDocReader::wordtowml(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB506AF7: DfvDocReaderNS::DfvDocReader::convertCore(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB506BD5: DfvDocReaderNS::DfvDocReader::convert(std::istream*, icu_52::UnicodeString const&, int, bool, bool, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0x6856B10: DfvInterface::DfvIfObject::getTreeGenerator(OleCompNS::AHOleCompFile::OLEDOCUMENT_TYPE, std::istream*, icu_52::UnicodeString const&, AHCommonNS::AHTempFile&) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x686008A: DfvInterface::DfvIfObject::executeV4(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x686196F: DfvInterface::DfvIfObject::execute(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x68620BB: DfvInterface::DfvIfObject::execute(bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x40DBF4: XfoCommand::XSLCmd::execCommand() (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370==    by 0x408F83: main (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370==  Address 0x12588ab0 is 16 bytes before an unallocated block of size 2,708,768 in arena "client"
==51370== 
==51370== Invalid write of size 8
==51370==    at 0xB4D36E5: DfvDocReaderNS::DfvDocReader::vbgetfp(OleCompNS::AHOleCompStream*, int, int, unsigned short&, int&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB4F90AF: DfvDocReaderNS::DfvDocReader::getbt(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, DfvDocReaderNS::SubSectParam&) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB5065D0: DfvDocReaderNS::DfvDocReader::wordtowml(OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, DfvDocReaderNS::FIB&, int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB506AF7: DfvDocReaderNS::DfvDocReader::convertCore(int) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0xB506BD5: DfvDocReaderNS::DfvDocReader::convert(std::istream*, icu_52::UnicodeString const&, int, bool, bool, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1)
==51370==    by 0x6856B10: DfvInterface::DfvIfObject::getTreeGenerator(OleCompNS::AHOleCompFile::OLEDOCUMENT_TYPE, std::istream*, icu_52::UnicodeString const&, AHCommonNS::AHTempFile&) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x686008A: DfvInterface::DfvIfObject::executeV4(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x686196F: DfvInterface::DfvIfObject::execute(std::istream*, AHCommonNS::AHMemStream*, std::ostream*, bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x68620BB: DfvInterface::DfvIfObject::execute(bool) (in /usr/OfficeServerDocumentConverter/lib/libDfvInterface.so.6.1)
==51370==    by 0x40DBF4: XfoCommand::XSLCmd::execCommand() (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370==    by 0x408F83: main (in /usr/OfficeServerDocumentConverter/bin/SBCCmd)
==51370==  Address 0x12588aa0 is 32 bytes before an unallocated block of size 2,708,768 in arena "client"
==51370== 

valgrind: m_mallocfree.c:303 (get_bszB_as_is): Assertion 'bszB_lo == bszB_hi' failed.
valgrind: Heap block lo/hi size mismatch: lo = 576, hi = 0.
This is probably caused by your program erroneously writing past the
end of a heap block and corrupting heap metadata.  If you fix any
invalid writes reported by Memcheck, this assertion failure will
probably go away.  Please try that before reporting this as a bug.

Timeline

2018-05-21 - Vendor Disclosure
2018-07-10 - Public Release

Credit

Discovered by Marcin 'Icewall' Noga of Cisco Talos.