Issue 46276 - OpenOffice DOC document Heap Overflow importing Word doc
Summary: OpenOffice DOC document Heap Overflow importing Word doc
Status: CLOSED DUPLICATE of issue 46388
Alias: None
Product: Writer
Classification: Application
Component: code (show other issues)
Version: OOo 1.1.4
Hardware: All All
: P3 Trivial (vote)
Target Milestone: ---
Assignee: flr
QA Contact: issues@sw
Keywords: oooqa
Depends on:
Reported: 2005-03-30 09:40 UTC by airsupply
Modified: 2013-08-07 14:38 UTC (History)
2 users (show)

See Also:
Issue Type: DEFECT
Latest Confirmation in: ---
Developer Difficulty: ---

vul doc for test (31.50 KB, application/msword)
2005-03-30 09:43 UTC, airsupply
no flags Details
sorry for my fault,vul.doc is correct , the vul3.doc is the vul doc (31.50 KB, application/msword)
2005-03-30 11:43 UTC, airsupply
no flags Details

Note You need to log in before you can comment on or make changes to this issue.
Description airsupply 2005-03-30 09:40:55 UTC
OpenOffice DOC document Heap Overflow
[Security Advisory]

Advisory:[AD_LAB-05001] OpenOffice DOC document Heap Overflow
Class: Design Error

    <=OpenOffice OpenOffice 1.1.4

------------- is an office productivity suite, including word
processing, spreadsheets, presentations, drawings, data charting,
formula editing, and file conversion facilities.
The vulnerability is caused due to a  error within the .Doc document header 
processing.This can be exploited to cause a heap-based buffer overflow. 

	There is a vulnerability in  StgCompObjStream::Load() function,
When reading DOC document information of format,memory is allocated by DOC
provide length. 
DOC provided a 32 bits integer,and will use the low 16 bits of this number to
allocate memory,
but when reading doc information,still use the 32 bits number as length,this
maybe cause heap
overflow, and when free happened ,will cause write pointer,maybe cause arbitrary
code excute .

BOOL StgCompObjStream::Load()
	memset( &aClsId, 0, sizeof( ClsId ) );
	nCbFormat = 0;
	if( GetError() != SVSTREAM_OK )
		return FALSE;
	Seek( 8L );		
	INT32 nMarker = 0;
	*this >> nMarker;
	if( nMarker == -1L )
		*this >> aClsId;
		INT32 nLen1 = 0;
		*this >> nLen1; // we can control this 32 bits int
		sal_Char* p = new sal_Char[ (USHORT) nLen1 ]; //use low 16 bits value to
allocate memory 
		if( Read( p, nLen1 ) == (ULONG) nLen1 ) //still use 32 bits int as length,if
							// will goto free step,maybe cause write pointer.
			aUserName = String( p, gsl_getSystemTextEncoding() );
			nCbFormat = ReadClipboardFormat( *this );
        delete [] p; //free step,heap overflow cause write pointer.
	return BOOL( GetError() == SVSTREAM_OK );
	if we provide 0x10000018 to nLen1,will allocate 0x18 length memory,
 Read( p, nLen1 ) still use 0x10000018 as length,then, read will fail,
 but readed length is bigger than allocated memory,and overwrite the next chunk.
when goto delete [] p;,write pointer happened. we had triggered this problem
successful,and cause arbitrary code excute .
	StartOffice maybe affected too. did not test.

    AD-LAB discovery this vuln:)
Vulnerability analysis and advisory by A1rsupp1y.
Special thanks to xalan's  discussion.
Thank to Sam,icbm,liangbin and all Venustech AD-Lab guys:P.


The information in this bulletin is provided "AS IS" without warranty of any
kind. In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special damages. 

Copyright 1996-2005 VENUSTECH. All Rights Reserved. Terms of use.

VENUSTECH Security Lab 

Trusted {Solution} Provider
Comment 1 airsupply 2005-03-30 09:43:12 UTC
Created attachment 24401 [details]
vul doc for test
Comment 2 airsupply 2005-03-30 09:47:56 UTC
affect all stable openoffice ,maybe current too.
Comment 3 michael.ruess 2005-03-30 11:04:29 UTC
MRU->FLR: I didn't get a crash on Windows systems (either with OO 1.1.4 or OO
2.0). Please have a look at the code proposal, if it is of any worth to you. Thanks!
Comment 4 airsupply 2005-03-30 11:35:20 UTC
sorry, it's for  linux ,i did not test under windows system
Comment 5 airsupply 2005-03-30 11:43:50 UTC
Created attachment 24407 [details]
sorry for my fault,vul.doc is correct , the vul3.doc is the vul doc
Comment 6 flibby05 2005-04-21 14:39:28 UTC
closing double

*** This issue has been marked as a duplicate of 46388 ***
Comment 7 flibby05 2005-04-21 14:39:47 UTC