CVE-2017-2804
A remote out of bound write vulnerability exists in the TIFF parsing functionality of Core PHOTO-PAINT X8 18.1.0.661. A specially crafted TIFF file can cause a vulnerability resulting in potential memory corruption. An attacker can send the victim a specific TIFF file to trigger this vulnerability.
Corel PHOTO-PAINT X8 (Corel TIFF Import/Export Filter (64-Bit) - 18.1.0.661) - x64 & x86 version
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-787 - Out-of-bounds Write
An remote memory corruption vulnerability exists in the TIFF parsing functionality of Corel PHOTO-PAINT. A specially crafted TIFF file can cause a vulnerability resulting in potential memory corruption.
Module used in this vulnerability is described below:
start end module name
31980000 319a2000 IETIF (export symbols) c:\Program Files\Corel\CorelDRAW Graphics Suite X8\Filters\IETIF.FLT
Loaded symbol image file: c:\Program Files\Corel\CorelDRAW Graphics Suite X8\Filters\IETIF.FLT
Image path: c:\Program Files\Corel\CorelDRAW Graphics Suite X8\Filters\IETIF.FLT
Image name: IETIF.FLT
Timestamp: Fri Jun 24 18:14:13 2016 (576DDAE5)
CheckSum: 00022E36
ImageSize: 00022000
File version: 18.1.0.661
While parsing a TIFF file, a tag of type 0x111 can be given. In this tag, there is a count attribute used to dictate further information to read from the file.
<class tiff.Entry> '3'
[30] <instance tiff.DirectoryTag 'tag'> StripOffsets(0x111)
[32] <instance tiff.DirectoryType 'type'> BYTE(0x1)
[34] <instance pint.uint32_t 'count'> 0x00000001 (1)
[38] <instance tiff.BYTE 'value'> 0x00 (0)
[39] <instance dynamic.block(3) 'padding'> "\x00\x00\x00"
[3c] <instance ptype.undefined 'pointer'> ...
If there is no more data to read from the file, ReadFile will return 0 for the number of bytes read from the file.
CDRFLT!FLTCLIPDATA::GetClrUsed+0x28ad:
.text:1001FA1D 010 lea eax, [esp+10h+NumberOfBytesRead]
.text:1001FA21 010 push eax ; Bytes read written to this address
.text:1001FA22 014 push [esp+14h+nNumberOfBytesToRead]
.text:1001FA26 018 push [esp+18h+lpBuffer]
.text:1001FA2A 01C push dword ptr [esi+40h]
.text:1001FA2D 020 call ds:ReadFile ; NumberOfBytesRead is set to 0
.text:1001FA33 00C neg eax
.text:1001FA35 00C lea ecx, [esp+0Ch+var_8]
.text:1001FA39 00C sbb esi, esi
.text:1001FA3B 00C and esi, [esp+0Ch+NumberOfBytesRead]
.text:1001FA3F 00C call ds:mfc140u_1052 ; Doesn't modify esi
.text:1001FA45 00C mov eax, esi ; esi (0) is returned
.text:1001FA47 00C pop esi
.text:1001FA48 008 add esp, 8
.text:1001FA4B 000 retn 0Ch
This value is saved at offset 0x10 for later use.
IETIF!FilterEntry04+0x8c4a:
.text:1000AF9A 030 FF D0 call eax ; ReadFile function from above
.text:1000AF9C 024 89 45 10 mov [ebp+10h], eax ; 0 value written
The function presented below is typically executed 3 times (assuming our POC is being parsed):
1st pass: 8 bytes are read (TIFF initial/basic header)
2nd pass: number of bytes is calculated by this formula: image file directory num entries * 12 (size of entry)
3rd pass: in our case -1 bytes (large negative number)
IETIF!FilterEntry04+0xaa00:
.text:0001CD50 ; int __stdcall memcpy_proc(void *Dst, int)
.text:0001CD50 memcpy_proc proc near ; CODE XREF: sub_18110+F3p
.text:0001CD50 ; sub_184A0:loc_1869Dp ...
.text:0001CD50
.text:0001CD50 Dst = dword ptr 4
.text:0001CD50 arg_4 = dword ptr 8
.text:0001CD50
.text:0001CD50 push ebx
.text:0001CD51 mov ebx, [esp+4+Dst]
.text:0001CD55 push esi
.text:0001CD56 mov esi, ecx
.text:0001CD58 push edi
.text:0001CD59 mov edi, [esp+0Ch+arg_4]
.text:0001CD5D mov edx, [esi+4]
.text:0001CD60 add edi, [esi+8]
.text:0001CD63 add edx, [esi+8]
.text:0001CD66 mov eax, [esi+10h] ; eax=how many bytes to read?
.text:0001CD69 cmp edi, eax ; but eax can be forced to be 0
.text:0001CD6B jle short loc_1CDCA ; less than (good read)
.text:0001CD6D nop dword ptr [eax]
.text:0001CD70
.text:0001CD70 loc_1CD70: ; CODE XREF: memcpy_proc+78j
.text:0001CD70 sub eax, [esi+8] ; 0 bytes - 1 bytes = -1 (infinite)
.text:0001CD73 push eax ; Size
.text:0001CD74 push edx ; Src
.text:0001CD75 push ebx ; Dst
.text:0001CD76 call memcpy ; bug
.text:0001CD7B mov eax, [esi+10h]
.text:0001CD7E add esp, 0Ch
.text:0001CD81 sub eax, [esi+8]
.text:0001CD84 sub edi, [esi+10h]
.text:0001CD87 add ebx, eax
.text:0001CD89 mov eax, [esi]
.text:0001CD8B push dword ptr [esi+0Ch]
.text:0001CD8E push dword ptr [esi+4]
.text:0001CD91 push eax
.text:0001CD92 mov eax, [eax+1B8h]
.text:0001CD98 call eax
.text:0001CD9A mov [esi+10h], eax
.text:0001CD9D cmp eax, [esi+0Ch]
.text:0001CDA0 jge short loc_1CDB9
.text:0001CDA2 cmp eax, edi
.text:0001CDA4 jge short loc_1CDB9
.text:0001CDA6 mov eax, [esi]
.text:0001CDA8 mov dword ptr [eax+78h], 6773h
.text:0001CDAF mov edi, [esi+10h]
.text:0001CDB2 mov dword ptr [esi+18h], 1
.text:0001CDB9
.text:0001CDB9 loc_1CDB9: ; CODE XREF: memcpy_proc+50j
.text:0001CDB9 ; memcpy_proc+54j
.text:0001CDB9 mov eax, [esi+10h]
.text:0001CDBC mov edx, [esi+4]
.text:0001CDBF mov dword ptr [esi+8], 0
.text:0001CDC6 cmp edi, eax
.text:0001CDC8 jg short loc_1CD70
.text:0001CDCA
.text:0001CDCA loc_1CDCA: ; CODE XREF: memcpy_proc+1Bj
.text:0001CDCA mov eax, edi
.text:0001CDCC sub eax, [esi+8]
.text:0001CDCF push eax ; Size
.text:0001CDD0 push edx ; Src
.text:0001CDD1 push ebx ; Dst
.text:0001CDD2 call memcpy
.text:0001CDD7 mov ecx, [esi+10h]
.text:0001CDDA add esp, 0Ch
.text:0001CDDD test ecx, ecx
.text:0001CDDF jz short loc_1CDE9
.text:0001CDE1
.text:0001CDE1 loc_1CDE1: ; CODE XREF: memcpy_proc+97j
.text:0001CDE1 cmp edi, ecx
.text:0001CDE3 jle short loc_1CDE9
.text:0001CDE5 sub edi, ecx
.text:0001CDE7 jmp short loc_1CDE1
.text:0001CDE9 ; ---------------------------------------------------------------------------
.text:0001CDE9
.text:0001CDE9 loc_1CDE9: ; CODE XREF: memcpy_proc+8Fj
.text:0001CDE9 ; memcpy_proc+93j
.text:0001CDE9 xor eax, eax
.text:0001CDEB test ecx, ecx
.text:0001CDED cmovnz eax, edi
.text:0001CDF0 pop edi
.text:0001CDF1 mov [esi+8], eax
.text:0001CDF4 pop esi
.text:0001CDF5 pop ebx
.text:0001CDF6 retn 8
.text:0001CDF6 memcpy_proc endp
Using the saved 0 value from ReadFile in a subtraction (0x0001CD70), a 0xffffffff value is generated and passed as the size to a memcpy operation.
0:000> !analyze -v *************************** * * * Exception Analysis * * * ***************************
FAULTING_IP:
VCRUNTIME140!memcpy+57
FAULTING_IP:
VCRUNTIME140!memcpy+57
FAULTING_IP:
VCRUNTIME140!memcpy+57 [f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 135]
[f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 135]
[f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 135]
00007ffe`2b9ec877 f3a4 rep movs byte ptr [rdi],byte ptr [rsi]
00007ffe`2b9ec877 f3a4 rep movs byte ptr [rdi],byte ptr [rsi]
00007ffe`2b9ec877 f3a4 rep movs byte ptr [rdi],byte ptr [rsi]
EXCEPTION_RECORD:
EXCEPTION_RECORD:
EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ffffffffffffffff -- (.exr 0xffffffffffffffff)
ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00007ffe2b9ec877 (VCRUNTIME140!memcpy+0x0000000000000057)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 0000016759f1b000
Attempt to write to address 0000016759f1b000
ExceptionAddress: 00007ffe2b9ec877 (VCRUNTIME140!memcpy+0x0000000000000057)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 0000016759f1b000
Attempt to write to address 0000016759f1b000
ExceptionAddress: 00007ffe2b9ec877 (VCRUNTIME140!memcpy+0x0000000000000057)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 0000016759f1b000
Attempt to write to address 0000016759f1b000
CONTEXT:
CONTEXT:
CONTEXT: 0000000000000000 -- (.cxr 0x0;r)
0000000000000000 -- (.cxr 0x0;r)
0000000000000000 -- (.cxr 0x0;r)
rax=0000016759ed15a0 rbx=0000016759e49830 rcx=fffffffffffb659f
rdx=ffffffffffff5b61 rsi=0000016759f10b61 rdi=0000016759f1b000
rip=00007ffe2b9ec877 rsp=00000037e49cc218 rbp=0000016759ed15a0
r8=0000000000000000 r9=0000000000000000 r10=0000016759ec7101
r11=0000000000000002 r12=0000016759ec5b60 r13=0000000000000000
r14=0000016759ed15a0 r15=0000016759ed15a0
iopl=0 nv up ei ng nz na pe cy
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010283
VCRUNTIME140!memcpy+0x57:
00007ffe`2b9ec877 f3a4 rep movs byte ptr [rdi],byte ptr [rsi]
rax=0000016759ed15a0 rbx=0000016759e49830 rcx=fffffffffffb659f
rdx=ffffffffffff5b61 rsi=0000016759f10b61 rdi=0000016759f1b000
rip=00007ffe2b9ec877 rsp=00000037e49cc218 rbp=0000016759ed15a0
r8=0000000000000000 r9=0000000000000000 r10=0000016759ec7101
r11=0000000000000002 r12=0000016759ec5b60 r13=0000000000000000
r14=0000016759ed15a0 r15=0000016759ed15a0
iopl=0 nv up ei ng nz na pe cy
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010283
VCRUNTIME140!memcpy+0x57:
00007ffe`2b9ec877 f3a4 rep movs byte ptr [rdi],byte ptr [rsi]
rax=0000016759ed15a0 rbx=0000016759e49830 rcx=fffffffffffb659f
rdx=ffffffffffff5b61 rsi=0000016759f10b61 rdi=0000016759f1b000
rip=00007ffe2b9ec877 rsp=00000037e49cc218 rbp=0000016759ed15a0
r8=0000000000000000 r9=0000000000000000 r10=0000016759ec7101
r11=0000000000000002 r12=0000016759ec5b60 r13=0000000000000000
r14=0000016759ed15a0 r15=0000016759ed15a0
iopl=0 nv up ei ng nz na pe cy
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010283
VCRUNTIME140!memcpy+0x57:
00007ffe`2b9ec877 f3a4 rep movs byte ptr [rdi],byte ptr [rsi]
FAULTING_THREAD: 0000000000001684
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
PROCESS_NAME: CorelPP-APP.exe
OVERLAPPED_MODULE: Address regions for 'icm32' and 'lcms2.dll' overlap
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo
EXCEPTION_PARAMETER1: 0000000000000001
EXCEPTION_PARAMETER2: 0000016759f1b000
WRITE_ADDRESS: 0000016759f1b000
FOLLOWUP_IP:
VCRUNTIME140!memcpy+57
FAULTING_THREAD: 0000000000001684
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
PROCESS_NAME: CorelPP-APP.exe
OVERLAPPED_MODULE: Address regions for 'icm32' and 'lcms2.dll' overlap
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo
EXCEPTION_PARAMETER1: 0000000000000001
EXCEPTION_PARAMETER2: 0000016759f1b000
WRITE_ADDRESS: 0000016759f1b000
FOLLOWUP_IP:
VCRUNTIME140!memcpy+57
FAULTING_THREAD: 0000000000001684
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
PROCESS_NAME: CorelPP-APP.exe
OVERLAPPED_MODULE: Address regions for 'icm32' and 'lcms2.dll' overlap
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo
EXCEPTION_PARAMETER1: 0000000000000001
EXCEPTION_PARAMETER2: 0000016759f1b000
WRITE_ADDRESS: 0000016759f1b000
FOLLOWUP_IP:
VCRUNTIME140!memcpy+57 [f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 135]
[f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 135]
[f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 135]
00007ffe`2b9ec877 f3a4 rep movs byte ptr [rdi],byte ptr [rsi]
00007ffe`2b9ec877 f3a4 rep movs byte ptr [rdi],byte ptr [rsi]
00007ffe`2b9ec877 f3a4 rep movs byte ptr [rdi],byte ptr [rsi]
NTGLOBALFLAG: 70
APPLICATION_VERIFIER_FLAGS: 0
APP: corelpp-app.exe
ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre
MANAGED_STACK: !dumpstack -EE
NTGLOBALFLAG: 70
APPLICATION_VERIFIER_FLAGS: 0
APP: corelpp-app.exe
ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre
MANAGED_STACK: !dumpstack -EE
NTGLOBALFLAG: 70
APPLICATION_VERIFIER_FLAGS: 0
APP: corelpp-app.exe
ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre
MANAGED_STACK: !dumpstack -EE
OS Thread Id: 0x1684 OS Thread Id: 0x1684 OS Thread Id: 0x1684 (0)
(0)
(0)
Current frame: Current frame: Current frame:
Child-SP RetAddr Caller, Callee
Child-SP RetAddr Caller, Callee
Child-SP RetAddr Caller, Callee
PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS
BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS
LAST_CONTROL_TRANSFER: from 00007ffe0390ead0 to 00007ffe2b9ec877
STACK_TEXT:
PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS
BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS
LAST_CONTROL_TRANSFER: from 00007ffe0390ead0 to 00007ffe2b9ec877
STACK_TEXT:
PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS
BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS
LAST_CONTROL_TRANSFER: from 00007ffe0390ead0 to 00007ffe2b9ec877
STACK_TEXT:
00000037`e49cc218 00007ffe`0390ead0 : 00000000`00000000 00000000`00000000 00000037`002b40d5 00000037`00000001 :
VCRUNTIME140!memcpy+0x57
00000037`e49cc220 00007ffe`0390d4f0 : 00000000`00000001 00000167`59eb8830 00007ffe`0390af50 00000000`00000000 :
IETIF!FilterEntry04+0xc690
00000037`e49cc250 00007ffe`0390cb51 : 00000000`00000000 00000000`00000001 00000167`59eb8830 00007ffe`0390af50 :
IETIF!FilterEntry04+0xb0b0
00000037`e49cc300 00007ffe`0390d70e : 00000167`00000001 00000167`00000001 00007ffe`0390af50 00000167`59ed2200 :
IETIF!FilterEntry04+0xa711
00000037`e49cc380 00007ffe`03901ff0 : 00000000`00000000 00000167`59eb8830 00000167`59eb8830 00000000`00000000 :
IETIF!FilterEntry04+0xb2ce
00000037`e49cc420 00007ffe`14bf097d : 00000000`00000001 0000015f`2e7607f0 00000000`00000180 00000000`00000001 :
IETIF!FilterEntry+0x90
00000037`e49cc450 00007ffe`14bde7ff : 00000000`00000000 00000000`00000001 00000167`59eb8830 00000000`00000000 :
CDRFLT!FLTCLIPDATA::GetClrUsed+0x101d
00000037`e49cc490 00007ffe`10702298 : 00000000`00000000 00000000`00000000 00000000`00000030 00000000`00000001 :
CDRFLT!CPT_DROP_SHADOW::LoadFrom+0x4ff
00000037`e49cc5c0 00007ffe`106fac66 : 0000015f`00000007 00007ffe`3bcfacee 00000037`e49cc9dc 00000167`59ebb1d0 :
corelpp!CTool::GetAutoScroll+0x630a8
00000037`e49cc6c0 00007ffe`106f7e91 : 0000015f`2ab20000 00000000`00000038 00000000`00000001 00007ffe`3bd08097 :
corelpp!CTool::GetAutoScroll+0x5ba76
00000037`e49cc900 00007ffe`106f761c : 00000167`59d29270 00000167`59eb8830 0000015f`2ab87b90 00000167`59d29270 :
corelpp!CTool::GetAutoScroll+0x58ca1
00000037`e49cd040 00007ffe`105fea42 : 00000167`599492b0 00000167`59d29270 0000015f`2eb072a0 00007ffe`10648f56 :
corelpp!CTool::GetAutoScroll+0x5842c
00000037`e49cdd80 00007ffe`105ffc79 : 00000167`59d29270 00007ffe`10b490d0 00000167`599492b0 00000167`599492b0 :
corelpp!CPntCom::CPntCom+0x28b32
00000037`e49cdeb0 00007ffe`106484b7 : 00007ffe`10b490d0 00000037`e49ce2b0 00000167`599492b0 00000167`59eb7398 :
corelpp!CPntCom::CPntCom+0x29d69
00000037`e49ce020 00007ffe`10649f6b : 00007ffe`10e13ba0 00000037`e49ce2b0 00000167`599492b0 ffffffff`fcdcfb70 :
corelpp!CPntCom::CPntCom+0x725a7
00000037`e49ce060 00007ffe`106483aa : 00000037`e49ce1b0 00000037`e49cee58 00000037`e49ce2b0 00000167`599492b0 :
corelpp!CPntCom::CPntCom+0x7405b
00000037`e49ce160 00007ffe`10a1ab4e : 00000037`e49cee58 00000037`e49ce2b0 00000167`59eb7398 00000037`e49ce1b0 :
corelpp!CPntCom::CPntCom+0x7249a
00000037`e49ce1b0 00007ffe`10a194d9 : 00000037`e49cee20 00000167`58491e20 00000000`00000000 00000167`59e5aa18 :
corelpp!GetComponentTool+0xa58de
00000037`e49ceda0 00007ffe`10a16d26 : 0000015f`2ac1ea30 0000015f`00000028 00000167`58491ba8 00007ffe`11b003d0 :
corelpp!GetComponentTool+0xa4269
00000037`e49ceed0 00007ffe`105b9c7e : 00000037`e49cef28 0000015f`2f05d990 00007ffe`10c4bbe4 00000167`59aa6ee8 :
corelpp!GetComponentTool+0xa1ab6
00000037`e49cef00 00007ffe`105b4f29 : 0000015f`2e60b768 0000015f`2f05d990 00000167`59aa6ee8 00007ffe`16c63d66 :
corelpp!CTool::GetNumStrokes+0x231e
00000037`e49cef50 00007ffe`105ec3cc : 00000000`00000000 0000015f`2e60b768 0000015f`2eb072a0 0000015f`2f05a590 :
corelpp!StartApp+0xc139
00000037`e49cf020 00007ffe`10a1d6f8 : 00000000`00000000 00000000`00000001 0000015f`2eb072a0 00000000`00000000 :
corelpp!CPntCom::CPntCom+0x164bc
00000037`e49cf070 00007ffe`105a8c87 : 00000167`59e3b898 00000167`00000000 00000037`e49cf370 00000000`00000000 :
corelpp!GetComponentTool+0xa8488
00000037`e49cf0c0 00007ffe`1169fa1b : 0000015f`2eaffb40 00000037`e49cf370 00000000`00000000 0000015f`2ab41428 :
corelpp!CTool::GetToolMode+0x4ac7
00000037`e49cf0f0 00007ffe`1169f6e9 : 00000037`e49cf370 00000000`00000001 00000000`00000001 0000015f`2eaff600 :
CrlFrmWk!WCmnUI_FrameWorkApp::OnIdle+0xdb
00000037`e49cf130 00007ffe`1169f849 : 0000015f`2eb00120 00000037`e49cf370 00000037`e49cf300 4b18a26b`5f3d1849 :
CrlFrmWk!WCmnUI_FrameWorkApp::RunMessageLoop+0x99
00000037`e49cf1c0 00007ffe`11683e49 : 00000167`58660188 0000015f`2ac1edb0 0000015f`2ac1edb0 0000015f`2ea4d098 :
CrlFrmWk!WCmnUI_FrameWorkApp::Run+0x69
00000037`e49cf200 00007ffe`105a9069 : 00007ffe`17286a58 0000015f`2abb7450 00007ffe`17286a58 00000000`00000000 :
CrlFrmWk!IAppFramework::GetInstance+0x11a9
00000037`e49cf5d0 00007ff6`656a1d92 : 00000037`e49cf750 00000037`e49cf750 00000000`00000000 0000015f`2ab22601 :
corelpp!StartApp+0x279
00000037`e49cf6b0 00007ff6`656a15a6 : 00000037`e49cf750 00000000`0000000a 00000000`00000000 00000000`00000003 :
CorelPP_APP+0x1d92
00000037`e49cf710 00007ff6`656a7466 : 00000000`00000000 00007ff6`656afd90 00000000`00000000 00000000`00000000 :
CorelPP_APP+0x15a6
00000037`e49cf800 00007ffe`396c8364 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 :
CorelPP_APP+0x7466
00000037`e49cf840 00007ffe`3bd370d1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 :
KERNEL32!BaseThreadInitThunk+0x14
00000037`e49cf870 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 :
ntdll!RtlUserThreadStart+0x21
00000037`e49cc218 00007ffe`0390ead0 : 00000000`00000000 00000000`00000000 00000037`002b40d5 00000037`00000001 :
VCRUNTIME140!memcpy+0x57
00000037`e49cc220 00007ffe`0390d4f0 : 00000000`00000001 00000167`59eb8830 00007ffe`0390af50 00000000`00000000 :
IETIF!FilterEntry04+0xc690
00000037`e49cc250 00007ffe`0390cb51 : 00000000`00000000 00000000`00000001 00000167`59eb8830 00007ffe`0390af50 :
IETIF!FilterEntry04+0xb0b0
00000037`e49cc300 00007ffe`0390d70e : 00000167`00000001 00000167`00000001 00007ffe`0390af50 00000167`59ed2200 :
IETIF!FilterEntry04+0xa711
00000037`e49cc380 00007ffe`03901ff0 : 00000000`00000000 00000167`59eb8830 00000167`59eb8830 00000000`00000000 :
IETIF!FilterEntry04+0xb2ce
00000037`e49cc420 00007ffe`14bf097d : 00000000`00000001 0000015f`2e7607f0 00000000`00000180 00000000`00000001 :
IETIF!FilterEntry+0x90
00000037`e49cc450 00007ffe`14bde7ff : 00000000`00000000 00000000`00000001 00000167`59eb8830 00000000`00000000 :
CDRFLT!FLTCLIPDATA::GetClrUsed+0x101d
00000037`e49cc490 00007ffe`10702298 : 00000000`00000000 00000000`00000000 00000000`00000030 00000000`00000001 :
CDRFLT!CPT_DROP_SHADOW::LoadFrom+0x4ff
00000037`e49cc5c0 00007ffe`106fac66 : 0000015f`00000007 00007ffe`3bcfacee 00000037`e49cc9dc 00000167`59ebb1d0 :
corelpp!CTool::GetAutoScroll+0x630a8
00000037`e49cc6c0 00007ffe`106f7e91 : 0000015f`2ab20000 00000000`00000038 00000000`00000001 00007ffe`3bd08097 :
corelpp!CTool::GetAutoScroll+0x5ba76
00000037`e49cc900 00007ffe`106f761c : 00000167`59d29270 00000167`59eb8830 0000015f`2ab87b90 00000167`59d29270 :
corelpp!CTool::GetAutoScroll+0x58ca1
00000037`e49cd040 00007ffe`105fea42 : 00000167`599492b0 00000167`59d29270 0000015f`2eb072a0 00007ffe`10648f56 :
corelpp!CTool::GetAutoScroll+0x5842c
00000037`e49cdd80 00007ffe`105ffc79 : 00000167`59d29270 00007ffe`10b490d0 00000167`599492b0 00000167`599492b0 :
corelpp!CPntCom::CPntCom+0x28b32
00000037`e49cdeb0 00007ffe`106484b7 : 00007ffe`10b490d0 00000037`e49ce2b0 00000167`599492b0 00000167`59eb7398 :
corelpp!CPntCom::CPntCom+0x29d69
00000037`e49ce020 00007ffe`10649f6b : 00007ffe`10e13ba0 00000037`e49ce2b0 00000167`599492b0 ffffffff`fcdcfb70 :
corelpp!CPntCom::CPntCom+0x725a7
00000037`e49ce060 00007ffe`106483aa : 00000037`e49ce1b0 00000037`e49cee58 00000037`e49ce2b0 00000167`599492b0 :
corelpp!CPntCom::CPntCom+0x7405b
00000037`e49ce160 00007ffe`10a1ab4e : 00000037`e49cee58 00000037`e49ce2b0 00000167`59eb7398 00000037`e49ce1b0 :
corelpp!CPntCom::CPntCom+0x7249a
00000037`e49ce1b0 00007ffe`10a194d9 : 00000037`e49cee20 00000167`58491e20 00000000`00000000 00000167`59e5aa18 :
corelpp!GetComponentTool+0xa58de
00000037`e49ceda0 00007ffe`10a16d26 : 0000015f`2ac1ea30 0000015f`00000028 00000167`58491ba8 00007ffe`11b003d0 :
corelpp!GetComponentTool+0xa4269
00000037`e49ceed0 00007ffe`105b9c7e : 00000037`e49cef28 0000015f`2f05d990 00007ffe`10c4bbe4 00000167`59aa6ee8 :
corelpp!GetComponentTool+0xa1ab6
00000037`e49cef00 00007ffe`105b4f29 : 0000015f`2e60b768 0000015f`2f05d990 00000167`59aa6ee8 00007ffe`16c63d66 :
corelpp!CTool::GetNumStrokes+0x231e
00000037`e49cef50 00007ffe`105ec3cc : 00000000`00000000 0000015f`2e60b768 0000015f`2eb072a0 0000015f`2f05a590 :
corelpp!StartApp+0xc139
00000037`e49cf020 00007ffe`10a1d6f8 : 00000000`00000000 00000000`00000001 0000015f`2eb072a0 00000000`00000000 :
corelpp!CPntCom::CPntCom+0x164bc
00000037`e49cf070 00007ffe`105a8c87 : 00000167`59e3b898 00000167`00000000 00000037`e49cf370 00000000`00000000 :
corelpp!GetComponentTool+0xa8488
00000037`e49cf0c0 00007ffe`1169fa1b : 0000015f`2eaffb40 00000037`e49cf370 00000000`00000000 0000015f`2ab41428 :
corelpp!CTool::GetToolMode+0x4ac7
00000037`e49cf0f0 00007ffe`1169f6e9 : 00000037`e49cf370 00000000`00000001 00000000`00000001 0000015f`2eaff600 :
CrlFrmWk!WCmnUI_FrameWorkApp::OnIdle+0xdb
00000037`e49cf130 00007ffe`1169f849 : 0000015f`2eb00120 00000037`e49cf370 00000037`e49cf300 4b18a26b`5f3d1849 :
CrlFrmWk!WCmnUI_FrameWorkApp::RunMessageLoop+0x99
00000037`e49cf1c0 00007ffe`11683e49 : 00000167`58660188 0000015f`2ac1edb0 0000015f`2ac1edb0 0000015f`2ea4d098 :
CrlFrmWk!WCmnUI_FrameWorkApp::Run+0x69
00000037`e49cf200 00007ffe`105a9069 : 00007ffe`17286a58 0000015f`2abb7450 00007ffe`17286a58 00000000`00000000 :
CrlFrmWk!IAppFramework::GetInstance+0x11a9
00000037`e49cf5d0 00007ff6`656a1d92 : 00000037`e49cf750 00000037`e49cf750 00000000`00000000 0000015f`2ab22601 :
corelpp!StartApp+0x279
00000037`e49cf6b0 00007ff6`656a15a6 : 00000037`e49cf750 00000000`0000000a 00000000`00000000 00000000`00000003 :
CorelPP_APP+0x1d92
00000037`e49cf710 00007ff6`656a7466 : 00000000`00000000 00007ff6`656afd90 00000000`00000000 00000000`00000000 :
CorelPP_APP+0x15a6
00000037`e49cf800 00007ffe`396c8364 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 :
CorelPP_APP+0x7466
00000037`e49cf840 00007ffe`3bd370d1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 :
KERNEL32!BaseThreadInitThunk+0x14
00000037`e49cf870 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 :
ntdll!RtlUserThreadStart+0x21
00000037`e49cc218 00007ffe`0390ead0 : 00000000`00000000 00000000`00000000 00000037`002b40d5 00000037`00000001 :
VCRUNTIME140!memcpy+0x57
00000037`e49cc220 00007ffe`0390d4f0 : 00000000`00000001 00000167`59eb8830 00007ffe`0390af50 00000000`00000000 :
IETIF!FilterEntry04+0xc690
00000037`e49cc250 00007ffe`0390cb51 : 00000000`00000000 00000000`00000001 00000167`59eb8830 00007ffe`0390af50 :
IETIF!FilterEntry04+0xb0b0
00000037`e49cc300 00007ffe`0390d70e : 00000167`00000001 00000167`00000001 00007ffe`0390af50 00000167`59ed2200 :
IETIF!FilterEntry04+0xa711
00000037`e49cc380 00007ffe`03901ff0 : 00000000`00000000 00000167`59eb8830 00000167`59eb8830 00000000`00000000 :
IETIF!FilterEntry04+0xb2ce
00000037`e49cc420 00007ffe`14bf097d : 00000000`00000001 0000015f`2e7607f0 00000000`00000180 00000000`00000001 :
IETIF!FilterEntry+0x90
00000037`e49cc450 00007ffe`14bde7ff : 00000000`00000000 00000000`00000001 00000167`59eb8830 00000000`00000000 :
CDRFLT!FLTCLIPDATA::GetClrUsed+0x101d
00000037`e49cc490 00007ffe`10702298 : 00000000`00000000 00000000`00000000 00000000`00000030 00000000`00000001 :
CDRFLT!CPT_DROP_SHADOW::LoadFrom+0x4ff
00000037`e49cc5c0 00007ffe`106fac66 : 0000015f`00000007 00007ffe`3bcfacee 00000037`e49cc9dc 00000167`59ebb1d0 :
corelpp!CTool::GetAutoScroll+0x630a8
00000037`e49cc6c0 00007ffe`106f7e91 : 0000015f`2ab20000 00000000`00000038 00000000`00000001 00007ffe`3bd08097 :
corelpp!CTool::GetAutoScroll+0x5ba76
00000037`e49cc900 00007ffe`106f761c : 00000167`59d29270 00000167`59eb8830 0000015f`2ab87b90 00000167`59d29270 :
corelpp!CTool::GetAutoScroll+0x58ca1
00000037`e49cd040 00007ffe`105fea42 : 00000167`599492b0 00000167`59d29270 0000015f`2eb072a0 00007ffe`10648f56 :
corelpp!CTool::GetAutoScroll+0x5842c
00000037`e49cdd80 00007ffe`105ffc79 : 00000167`59d29270 00007ffe`10b490d0 00000167`599492b0 00000167`599492b0 :
corelpp!CPntCom::CPntCom+0x28b32
00000037`e49cdeb0 00007ffe`106484b7 : 00007ffe`10b490d0 00000037`e49ce2b0 00000167`599492b0 00000167`59eb7398 :
corelpp!CPntCom::CPntCom+0x29d69
00000037`e49ce020 00007ffe`10649f6b : 00007ffe`10e13ba0 00000037`e49ce2b0 00000167`599492b0 ffffffff`fcdcfb70 :
corelpp!CPntCom::CPntCom+0x725a7
00000037`e49ce060 00007ffe`106483aa : 00000037`e49ce1b0 00000037`e49cee58 00000037`e49ce2b0 00000167`599492b0 :
corelpp!CPntCom::CPntCom+0x7405b
00000037`e49ce160 00007ffe`10a1ab4e : 00000037`e49cee58 00000037`e49ce2b0 00000167`59eb7398 00000037`e49ce1b0 :
corelpp!CPntCom::CPntCom+0x7249a
00000037`e49ce1b0 00007ffe`10a194d9 : 00000037`e49cee20 00000167`58491e20 00000000`00000000 00000167`59e5aa18 :
corelpp!GetComponentTool+0xa58de
00000037`e49ceda0 00007ffe`10a16d26 : 0000015f`2ac1ea30 0000015f`00000028 00000167`58491ba8 00007ffe`11b003d0 :
corelpp!GetComponentTool+0xa4269
00000037`e49ceed0 00007ffe`105b9c7e : 00000037`e49cef28 0000015f`2f05d990 00007ffe`10c4bbe4 00000167`59aa6ee8 :
corelpp!GetComponentTool+0xa1ab6
00000037`e49cef00 00007ffe`105b4f29 : 0000015f`2e60b768 0000015f`2f05d990 00000167`59aa6ee8 00007ffe`16c63d66 :
corelpp!CTool::GetNumStrokes+0x231e
00000037`e49cef50 00007ffe`105ec3cc : 00000000`00000000 0000015f`2e60b768 0000015f`2eb072a0 0000015f`2f05a590 :
corelpp!StartApp+0xc139
00000037`e49cf020 00007ffe`10a1d6f8 : 00000000`00000000 00000000`00000001 0000015f`2eb072a0 00000000`00000000 :
corelpp!CPntCom::CPntCom+0x164bc
00000037`e49cf070 00007ffe`105a8c87 : 00000167`59e3b898 00000167`00000000 00000037`e49cf370 00000000`00000000 :
corelpp!GetComponentTool+0xa8488
00000037`e49cf0c0 00007ffe`1169fa1b : 0000015f`2eaffb40 00000037`e49cf370 00000000`00000000 0000015f`2ab41428 :
corelpp!CTool::GetToolMode+0x4ac7
00000037`e49cf0f0 00007ffe`1169f6e9 : 00000037`e49cf370 00000000`00000001 00000000`00000001 0000015f`2eaff600 :
CrlFrmWk!WCmnUI_FrameWorkApp::OnIdle+0xdb
00000037`e49cf130 00007ffe`1169f849 : 0000015f`2eb00120 00000037`e49cf370 00000037`e49cf300 4b18a26b`5f3d1849 :
CrlFrmWk!WCmnUI_FrameWorkApp::RunMessageLoop+0x99
00000037`e49cf1c0 00007ffe`11683e49 : 00000167`58660188 0000015f`2ac1edb0 0000015f`2ac1edb0 0000015f`2ea4d098 :
CrlFrmWk!WCmnUI_FrameWorkApp::Run+0x69
00000037`e49cf200 00007ffe`105a9069 : 00007ffe`17286a58 0000015f`2abb7450 00007ffe`17286a58 00000000`00000000 :
CrlFrmWk!IAppFramework::GetInstance+0x11a9
00000037`e49cf5d0 00007ff6`656a1d92 : 00000037`e49cf750 00000037`e49cf750 00000000`00000000 0000015f`2ab22601 :
corelpp!StartApp+0x279
00000037`e49cf6b0 00007ff6`656a15a6 : 00000037`e49cf750 00000000`0000000a 00000000`00000000 00000000`00000003 :
CorelPP_APP+0x1d92
00000037`e49cf710 00007ff6`656a7466 : 00000000`00000000 00007ff6`656afd90 00000000`00000000 00000000`00000000 :
CorelPP_APP+0x15a6
00000037`e49cf800 00007ffe`396c8364 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 :
CorelPP_APP+0x7466
00000037`e49cf840 00007ffe`3bd370d1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 :
KERNEL32!BaseThreadInitThunk+0x14
00000037`e49cf870 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 :
ntdll!RtlUserThreadStart+0x21
STACK_COMMAND: .cxr 0x0 ; kb
FAULTING_SOURCE_LINE: f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm
FAULTING_SOURCE_FILE: f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm
FAULTING_SOURCE_LINE_NUMBER: 135
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: vcruntime140!memcpy+57
FOLLOWUP_NAME: MachineOwner
MODULE_NAME:
STACK_COMMAND: .cxr 0x0 ; kb
FAULTING_SOURCE_LINE: f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm
FAULTING_SOURCE_FILE: f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm
FAULTING_SOURCE_LINE_NUMBER: 135
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: vcruntime140!memcpy+57
FOLLOWUP_NAME: MachineOwner
MODULE_NAME:
STACK_COMMAND: .cxr 0x0 ; kb
FAULTING_SOURCE_LINE: f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm
FAULTING_SOURCE_FILE: f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm
FAULTING_SOURCE_LINE_NUMBER: 135
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: vcruntime140!memcpy+57
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: VCRUNTIME140
VCRUNTIME140
VCRUNTIME140
IMAGE_NAME: VCRUNTIME140.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 563c45c0
FAILURE_BUCKET_ID: WRONG_SYMBOLS_c0000005_VCRUNTIME140.dll!memcpy
BUCKET_ID: APPLICATION_FAULT_WRONG_SYMBOLS_vcruntime140!memcpy+57
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:wrong_symbols_c0000005_vcruntime140.dll!memcpy
FAILURE_ID_HASH: {af9e04a5-399b-60ad-9abe-5412f864504e}
Followup: MachineOwner
---------
IMAGE_NAME: VCRUNTIME140.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 563c45c0
FAILURE_BUCKET_ID: WRONG_SYMBOLS_c0000005_VCRUNTIME140.dll!memcpy
BUCKET_ID: APPLICATION_FAULT_WRONG_SYMBOLS_vcruntime140!memcpy+57
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:wrong_symbols_c0000005_vcruntime140.dll!memcpy
FAILURE_ID_HASH: {af9e04a5-399b-60ad-9abe-5412f864504e}
Followup: MachineOwner
---------
IMAGE_NAME: VCRUNTIME140.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 563c45c0
FAILURE_BUCKET_ID: WRONG_SYMBOLS_c0000005_VCRUNTIME140.dll!memcpy
BUCKET_ID: APPLICATION_FAULT_WRONG_SYMBOLS_vcruntime140!memcpy+57
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:wrong_symbols_c0000005_vcruntime140.dll!memcpy
FAILURE_ID_HASH: {af9e04a5-399b-60ad-9abe-5412f864504e}
Followup: MachineOwner
---------
2017-03-28 - Vendor Disclosure
2017—07-20 - Public Release
Discovered by a member of Cisco Talos