Issue 72615 - WW8: oowriter crashes on document import of corrupted file
Summary: WW8: oowriter crashes on document import of corrupted file
Status: CLOSED DUPLICATE of issue 72614
Alias: None
Product: Writer
Classification: Application
Component: open-import (show other issues)
Version: OOo 2.1
Hardware: PC All
: P3 Trivial (vote)
Target Milestone: ---
Assignee: openoffice
QA Contact: issues@sw
URL: http://www.milw0rm.com/sploits/121220...
Keywords: oooqa
Depends on:
Blocks:
 
Reported: 2006-12-15 11:20 UTC by frankdelange
Modified: 2013-08-07 14:38 UTC (History)
3 users (show)

See Also:
Issue Type: DEFECT
Latest Confirmation in: ---
Developer Difficulty: ---

Attachments
The file with the MS Word overflow exploit which crashes oowriter (26.00 KB, application/msword)
2006-12-15 11:21 UTC, frankdelange 		no flags Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description frankdelange 2006-12-15 11:20:30 UTC 
oowriter crashes when trying to import this document:

http://www.milw0rm.com/sploits/12122006-djtest.doc

The document is a proof of concept for an exploitable overflow in Microsoft
Word. It seems to trigger a bug in OO.o as well (possibly also open for exploit?)

Here's the trace:

(I)    x.org loaded video driver of...
(II) Loading /usr/lib/xorg/modules/drivers/v4l_drv.so
(II) Loading /usr/lib/xorg/modules/drivers/radeon_drv.so
(II) Loading /usr/lib/xorg/modules/drivers/ati_drv.so
(II) Reloading /usr/lib/xorg/modules/drivers/radeon_drv.so
(III)  Desktop is: GNOME
(IV)   libgcj version is: libgcj-4.1.1-44-i386
(V)    kernel is: Linux 2.6.18-1.2849.fc6 #1 SMP Fri Nov 10 12:45:28 EST 2006
i686 i686 i386
(VI)   OpenOffice.org core rpm version is: openoffice.org-core-2.1.0-6.1-i386
(VII)  depth of root window:    24 planes
(VIII) accessibility is: false
(VIV)  fedora release is: Fedora Core release 6 (Rawhide)
...start free space details ...
...end free space details ...
...start sestatus details ...
SELinux status:                 disabled
...end sestatus details ...
...start stackreport details ...
0x620bef8: /usr/lib/openoffice.org2.1/program/libuno_sal.so.3 + 0x22ef8
0x620cb8b: /usr/lib/openoffice.org2.1/program/libuno_sal.so.3 + 0x23b8b
0xd4e420:  + 0x420 (__kernel_sigreturn + 0x0)
0x39e962d: /usr/lib/openoffice.org2.1/program/libsw680li.so + 0x75062d
0x39f10d0: /usr/lib/openoffice.org2.1/program/libsw680li.so + 0x7580d0
0x39f11c3: /usr/lib/openoffice.org2.1/program/libsw680li.so + 0x7581c3
0x39f63e1: /usr/lib/openoffice.org2.1/program/libsw680li.so + 0x75d3e1
0x39a3b60: /usr/lib/openoffice.org2.1/program/libsw680li.so + 0x70ab60
0x39a50a7: /usr/lib/openoffice.org2.1/program/libsw680li.so + 0x70c0a7
0x39a5a86: /usr/lib/openoffice.org2.1/program/libsw680li.so + 0x70ca86
0x39a5ba1: /usr/lib/openoffice.org2.1/program/libsw680li.so + 0x70cba1
0x38621bf: /usr/lib/openoffice.org2.1/program/libsw680li.so + 0x5c91bf
0x3a5df35: /usr/lib/openoffice.org2.1/program/libsw680li.so + 0x7c4f35
0x7d6e3bc: /usr/lib/openoffice.org2.1/program/libsfx680li.so + 0x1a23bc
(SfxObjectShell::DoLoad(SfxMedium*) + 0x79c)
0x7dd6283: /usr/lib/openoffice.org2.1/program/libsfx680li.so + 0x20a283
(SfxBaseModel::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>
const&) + 0x323)
0x7e0c84f: /usr/lib/openoffice.org2.1/program/libsfx680li.so + 0x24084f
0x2240ca6: /usr/lib/openoffice.org2.1/program/libfwk680li.so + 0x19fca6
0x22428ba: /usr/lib/openoffice.org2.1/program/libfwk680li.so + 0x1a18ba
0x22430a5: /usr/lib/openoffice.org2.1/program/libfwk680li.so + 0x1a20a5
0x20e86f3: /usr/lib/openoffice.org2.1/program/libfwk680li.so + 0x476f3
0x31e8e2f: /usr/lib/openoffice.org2.1/program/libsoffice.so + 0x3ee2f
(desktop::DispatchWatcher::executeDispatchRequests(_STL::vector<desktop::DispatchWatcher::DispatchRequest,
_STL::allocator<desktop::DispatchWatcher::DispatchRequest> > const&) + 0x194f)
0x31db671: /usr/lib/openoffice.org2.1/program/libsoffice.so + 0x31671
(desktop::OfficeIPCThread::ExecuteCmdLineRequests(desktop::ProcessDocumentsRequest&)
+ 0x151)
0x31d581a: /usr/lib/openoffice.org2.1/program/libsoffice.so + 0x2b81a
(desktop::Desktop::OpenClients() + 0x14ea)
0x31d6f30: /usr/lib/openoffice.org2.1/program/libsoffice.so + 0x2cf30
(desktop::Desktop::OpenClients_Impl(void*) + 0x50)
0x31d6fe4: /usr/lib/openoffice.org2.1/program/libsoffice.so + 0x2cfe4
(desktop::Desktop::LinkStubOpenClients_Impl(void*, void*) + 0x24)
0x6c013e6: /usr/lib/openoffice.org2.1/program/libvcl680li.so + 0x28a3e6
0x1d515c: /usr/lib/openoffice.org2.1/program/libvclplug_gen680li.so + 0x4f15c
(SalDisplay::DispatchInternalEvent() + 0xbc)
0x144f71: /usr/lib/openoffice.org2.1/program/libvclplug_gtk680li.so + 0xff71
0x144fb1: /usr/lib/openoffice.org2.1/program/libvclplug_gtk680li.so + 0xffb1
0x859491: /lib/libglib-2.0.so.0 + 0x29491
0x85b1f2: /lib/libglib-2.0.so.0 + 0x2b1f2 (g_main_context_dispatch + 0x182)
0x85e1cf: /lib/libglib-2.0.so.0 + 0x2e1cf
0x85e735: /lib/libglib-2.0.so.0 + 0x2e735 (g_main_context_iteration + 0x65)
0x146e81: /usr/lib/openoffice.org2.1/program/libvclplug_gtk680li.so + 0x11e81
0x1dfdb7: /usr/lib/openoffice.org2.1/program/libvclplug_gen680li.so + 0x59db7
(X11SalInstance::Yield(bool, bool) + 0x37)
0x6a0e988: /usr/lib/openoffice.org2.1/program/libvcl680li.so + 0x97988
(Application::Yield(bool) + 0x68)
0x6a0ea5c: /usr/lib/openoffice.org2.1/program/libvcl680li.so + 0x97a5c
(Application::Execute() + 0x3c)
0x31d0ab9: /usr/lib/openoffice.org2.1/program/libsoffice.so + 0x26ab9
(desktop::Desktop::Main() + 0x1779)
0x6a144dc: /usr/lib/openoffice.org2.1/program/libvcl680li.so + 0x9d4dc
0x6a145e5: /usr/lib/openoffice.org2.1/program/libvcl680li.so + 0x9d5e5 (SVMain()
+ 0x35)
0x31c18f9: /usr/lib/openoffice.org2.1/program/libsoffice.so + 0x178f9 (sal_main
+ 0x59)
0x31c1984: /usr/lib/openoffice.org2.1/program/libsoffice.so + 0x17984 (main + 0x44)
0x575e5c: /lib/libc.so.6 + 0x15e5c (__libc_start_main + 0xdc)
0x80484c1: /usr/lib/openoffice.org2.1/program/swriter.bin + 0x4c1
...end stackreport details ...
...start sample ldd details ...
...end sample ldd details ...

I have not run gdb on this crash but someone else did:

 (from a Slashdot posting, he used OO.o 2.0.4)

 "...The gdb backtrace shows that the crash occurs in SwIoSystem::IsFileFilter
(). EIP may not have been overwritten; the value points into what appears to be
a valid function (i.e. not the stack or heap):

eip 0xb7286b4d 0xb7286b4d osl_getVolumeInformation+4487"

I used the current Fedora core development distribution of OO.o for the
backtrace, based on openoffice.org-2.1.0-6.1.src.rpm
Comment 1 frankdelange 2006-12-15 11:21:26 UTC 
Created attachment 41442 [details]
The file with the MS Word overflow exploit which crashes oowriter
Comment 2 michael.ruess 2006-12-15 15:30:42 UTC 
The attached document looks damaged - even Word is not able to recognize it as
its own format and refuses to open.
But at least OO should not crash when trying to open it...
Comment 3 aziem 2006-12-15 18:10:19 UTC 
duplicate of issue 72615? it's the same document
Comment 4 kpalagin 2006-12-17 13:33:04 UTC 
Seems to be duplicate of http://www.openoffice.org/issues/show_bug.cgi?id=72614


*** This issue has been marked as a duplicate of 72614 ***
Comment 5 ace_dent 2008-05-17 21:08:04 UTC 
The Issue you raised has been marked as 'Resolved' and not updated within the
last 1 year+. I am therefore setting this issue to 'Verified' as the first step
towards Closing it. If you feel this is incorrect, please re-open the issue and
add any comments.

Many thanks,
Andrew
 
Cleaning-up and Closing old Issues
~ The Grand Bug Squash, pre v3 ~
http://marketing.openoffice.org/3.0/announcementbeta.html
Comment 6 ace_dent 2008-05-17 23:09:57 UTC 
As per previous posting: Verified -> Closed.
A Closed Issue is a Happy Issue (TM).

Regards,
Andrew