CVE-2018-3844
An exploitable use after free exists in the DOCX to HTML conversion functionality of the Hyland Perspective Document Filters version 11.4.0.2647. A crafted DOCX document can lead to a use-after-free resulting in direct code execution.
Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux
https://www.hyland.com/en/perceptive#docfilters
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416: Use After Free
This vulnerability is present in the Hyland Document filter conversion which is used for big data, eDiscovery, DLP, email archival, content management, business intelligence and intelligent capture services.
It can convert common formats such as Microsoft’s document formats into more usable and easily viewed formats.
There is a vulnerability in the conversion process of a DOCX document to HTML. A specially crafted DOCX file can lead to a use-after-free and remote code execution.
Let’s investigate this vulnerability. After we attempt to convert a malicious DOCX using the Hyland library we see the following state:
//page heap is turned on +hpa
windbg.exe isys_doc2text.exe --html malicious.docx
(448c.13a8): Access violation - code c0000005 (first/second chance not available)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
Time Travel Position: 31815B:0
eax=289aaff0 ebx=289aaff0 ecx=24f40f90 edx=62f058a0 esi=00000080 edi=63299690
eip=62f058ac esp=0084e148 ebp=0084e150 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
ISYSreadershd!IGR_ImageExport+0x2c084c:
62f058ac 8b01 mov eax,dword ptr [ecx] ds:002b:24f40f90=63123300
Showing more context
62f058a0 55 push ebp
62f058a1 8bec mov ebp,esp
62f058a3 8b4904 mov ecx,dword ptr [ecx+4]
62f058a6 ff750c push dword ptr [ebp+0Ch]
62f058a9 ff7508 push dword ptr [ebp+8]
62f058ac 8b01 mov eax,dword ptr [ecx]
62f058ae ff5008 call dword ptr [eax+8]
62f058b1 33c9 xor ecx,ecx
62f058b3 3b450c cmp eax,dword ptr [ebp+0Ch]
62f058b6 0f94c0 sete al
62f058b9 5d pop ebp
62f058ba c20800 ret 8
We see an obvious attempt of a virtual function call on a previously freed object. Further examination confirms our assumptions:
0:000> !heap -p -a ecx
address 24f40f90 found in
_DPH_HEAP_ROOT @ 167b1000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
29892208: 24f40000 2000
641bab22 verifier!AVrfDebugPageHeapFree+0x000000c2
77845958 ntdll!RtlDebugFreeHeap+0x0000003c
777f5c1d ntdll!RtlpFreeHeap+0x0005619d
7779fa0d ntdll!RtlFreeHeap+0x000007cd
63046591 ISYSreadershd!IGR_ImageExport+0x00401531
63010792 ISYSreadershd!IGR_ImageExport+0x003cb732
62b451f9 ISYSreadershd!IGR_HtmlExport+0x002f5c09
62aa3853 ISYSreadershd!IGR_HtmlExport+0x00254263
628e077d ISYSreadershd!IGR_HtmlExport+0x0009118d
62aa25b8 ISYSreadershd!IGR_HtmlExport+0x00252fc8
62aa36de ISYSreadershd!IGR_HtmlExport+0x002540ee
62aa389b ISYSreadershd!IGR_HtmlExport+0x002542ab
62849e59 ISYSreadershd+0x000a9e59
6284aa1b ISYSreadershd+0x000aaa1b
628486e8 ISYSreadershd+0x000a86e8
6399d749 isysreaders+0x001dd749
63999c2e isysreaders+0x001d9c2e
63e1edd3 ISYS11df!IGR_Open_Stream_Ex+0x000000b3
009b892f isys_doc2text+0x0002892f
009b71fb isys_doc2text+0x000271fb
009b612f isys_doc2text+0x0002612f
009e4c52 isys_doc2text+0x00054c52
009e2cc5 isys_doc2text+0x00052cc5
009bcf76 isys_doc2text+0x0002cf76
00a97f44 isys_doc2text+0x00107f44
748c8654 KERNEL32!BaseThreadInitThunk+0x00000024
777c4a77 ntdll!__RtlUserThreadStart+0x0000002f
777c4a47 ntdll!_RtlUserThreadStart+0x0000001b
Checking the Linux version we can obtain a bit more information from partial-symbols :
[----------------------------------registers-----------------------------------]
RAX: 0x7ffff3104188 (:CSkiaStreamBridge+168>: 0x00007ffff2d612b0)
RBX: 0x8
RCX: 0x0
RDX: 0x8
RSI: 0x7fffffffa590 --> 0xa1a0a0d474e5089
RDI: 0x6ea4e0 --> 0x6cf010 --> 0x0
RBP: 0x6d6c30 --> 0x5
RSP: 0x7fffffffa560 --> 0x8
RIP: 0x7ffff2d60de8 (:CSkiaStreamBridge::write(void const*, unsigned long)+8>: 0x39481850ff078b48)
R8 : 0x6
R9 : 0x0
R10: 0x6d6c30 --> 0x5
R11: 0x7ffff2be3950 --> 0x6c8948e8245c8948
R12: 0x7fffffffa590 --> 0xa1a0a0d474e5089
R13: 0x6d6c30 --> 0x5
R14: 0x0
R15: 0x7fffffffafb0 --> 0x7ffff3104188 (:CSkiaStreamBridge+168>: 0x00007ffff2d612b0)
EFLAGS: 0x207 (CARRY PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff2d60de0 <ISYS_NS::CSkiaStreamBridge::write(void const*, unsigned long)>: push rbx
0x7ffff2d60de1 <ISYS_NS::CSkiaStreamBridge::write(void const*, unsigned long)+1>: mov rdi,QWORD PTR [rdi+0x18]
0x7ffff2d60de5 <ISYS_NS::CSkiaStreamBridge::write(void const*, unsigned long)+5>: mov rbx,rdx
=> 0x7ffff2d60de8 <ISYS_NS::CSkiaStreamBridge::write(void const*, unsigned long)+8>: mov rax,QWORD PTR [rdi]
0x7ffff2d60deb <ISYS_NS::CSkiaStreamBridge::write(void const*, unsigned long)+11>: call QWORD PTR [rax+0x18]
0x7ffff2d60dee <ISYS_NS::CSkiaStreamBridge::write(void const*, unsigned long)+14>: cmp rax,rbx
0x7ffff2d60df1 <ISYS_NS::CSkiaStreamBridge::write(void const*, unsigned long)+17>: pop rbx
0x7ffff2d60df2 <ISYS_NS::CSkiaStreamBridge::write(void const*, unsigned long)+18>: sete al
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffa560 --> 0x8
0008| 0x7fffffffa568 --> 0x7ffff2be3980 --> 0x241c8b481374c084
0016| 0x7fffffffa570 --> 0x6d6c30 --> 0x5
0024| 0x7fffffffa578 --> 0x6d6c30 --> 0x5
0032| 0x7fffffffa580 --> 0x64 ('d')
0040| 0x7fffffffa588 --> 0x7ffff2881736 --> 0x77020000026dbb80
0048| 0x7fffffffa590 --> 0xa1a0a0d474e5089
0056| 0x7fffffffa598 --> 0x68dd90 --> 0x7ffff5b62780 --> 0x44f2894902f98341
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
//Use After Free call stack
#0 in ISYS_NS::CSkiaStreamBridge::write(void const*, unsigned int) () from ./libISYSgraphics.so
#1 in sk_write_fn(png_struct_def*, unsigned char*, unsigned int) () from ./libISYSgraphics.so
#2 in png_write_data () from ./libISYSgraphics.so
#3 in png_write_sig () from ./libISYSgraphics.so
#4 in png_write_info_before_PLTE () from ./libISYSgraphics.so
#5 in png_write_info () from ./libISYSgraphics.so
#6 in SkPNGImageEncoder::doEncode(SkWStream*, SkBitmap const&, bool const&, int, int, SkBitmap::Config, png_color_8_struct&, SkImageEncoderDetails const*) () from ./libISYSgraphics.so
#7 in SkPNGImageEncoder::onEncode(SkWStream*, SkBitmap const&, int, SkImageEncoderDetails const*) () from ./libISYSgraphics.so
#8 in SkImageEncoder::encodeStream(SkWStream*, SkBitmap const&, int, SkImageEncoderDetails const*) () from ./libISYSgraphics.so
#9 in SkImageEncoder::EncodeStream(SkWStream*, SkBitmap const&, SkImageEncoder::Type, int, SkImageEncoderDetails const*) () from ./libISYSgraphics.so
#10 in CairoPNGCanvas::closeCanvas() () from ./libISYSreadershd.so
#11 in common::EscherDraw::closeCanvas() () from ./libISYSreadershd.so
#12 in TextHtmlWriter::addDrawing(intermediate::common::IDrawing*) () from ./libISYSreadershd.so
#13 in TextHtmlWriter::writeParasRunObjects(std::list<intermediate::common::IObject*, std::allocator<intermediate::common::IObject*> >, double*, double*) () from ./libISYSreadershd.so
#14 in TextHtmlWriter::writeParagraph(WriterBaseStream&, intermediate::common::ITextParagraph*, bool, bool, bool) () from ./libISYSreadershd.so
#15 in TextHtmlWriter::writeParagraphs(intermediate::common::ITextDocumentContent const*, WriterBaseStream&) () from ./libISYSreadershd.so
#16 in TextHtmlWriter::writeContent(intermediate::common::ITextDocumentContent const*) () from ./libISYSreadershd.so
#17 in TextDocumentWriter::convert() () from ./libISYSreadershd.so
#18 in ISYS_NS::LibraryHD::CDocument::processWriter(WriterBase*) () from ./libISYSreadershd.so
#19 in ISYS_NS::LibraryHD::CDocument::openWord(ISYS_NS::CStream*, common::tools::XMLScanner::XMLScannerType) () from ./libISYSreadershd.so
#20 in ISYS_NS::LibraryHD::CDocument::open(IGR_Stream*, int, wchar_t const*) () from ./libISYSreadershd.so
#21 in ISYS_NS::LibraryHD::IGR_HDAPI_Open(IGR_Stream*, int, wchar_t const*, void**, wchar_t*) () from ./libISYSreadershd.so
#22 in ISYS_NS::exports::IGR_Open_File_FromStream(wchar_t const*, wchar_t const*, ISYS_NS::CStream*, bool, ISYS_NS::exports::Ext_Open_Options*, int, wchar_t const*, int*, int*, void**, int*, int, Error_Control_Block*) () from ./libISYSreaders.so
#23 in ISYS_NS::exports::IGR_Open_Stream_Ex(IGR_Stream*, int, unsigned short const*, int*, int*, void**, Error_Control_Block*) () from ./libISYSreaders.so
#24 in IGR_Open_Stream_Ex () from ./libISYS11df.so
#25 in processStream(std::string const&, tagTIGR_Stream*, bool, int, int, bool, std::ostream&, int, double) ()
#26 in processFile(std::string const&, int, int, bool, std::ostream&) ()
#27 in main ()
Tracking this object’s life cycle we can see its creation inside TextHtmlWriter::addDrawing method:
Object allocation call stack
#0 in ISYS_NS::CTemporaryStream::CTemporaryStream(wchar_t const*, unsigned int) () from ./libISYSshared.so
#1 in TextHtmlWriter::addDrawing(intermediate::common::IDrawing*) () from ./libISYSreadershd.so
#2 in TextHtmlWriter::writeParasRunObjects(std::list<intermediate::common::IObject*, std::allocator<intermediate::common::IObject*> >, double*, double*) () from ./libISYSreadershd.so
#3 in TextHtmlWriter::writeParagraph(WriterBaseStream&, intermediate::common::ITextParagraph*, bool, bool, bool) () from ./libISYSreadershd.so
#4 in TextHtmlWriter::writeParagraphs(intermediate::common::ITextDocumentContent const*, WriterBaseStream&) () from ./libISYSreadershd.so
#5 in TextHtmlWriter::writeContent(intermediate::common::ITextDocumentContent const*) () from ./libISYSreadershd.so
#6 in TextDocumentWriter::convert() () from ./libISYSreadershd.so
#7 in ISYS_NS::LibraryHD::CDocument::processWriter(WriterBase*) () from ./libISYSreadershd.so
#8 in ISYS_NS::LibraryHD::CDocument::openWord(ISYS_NS::CStream*, common::tools::XMLScanner::XMLScannerType) () from ./libISYSreadershd.so
#9 in ISYS_NS::LibraryHD::CDocument::open(IGR_Stream*, int, wchar_t const*) () from ./libISYSreadershd.so
#10 in ISYS_NS::LibraryHD::IGR_HDAPI_Open(IGR_Stream*, int, wchar_t const*, void**, wchar_t*) () from ./libISYSreadershd.so
#11 in ISYS_NS::exports::IGR_Open_File_FromStream(wchar_t const*, wchar_t const*, ISYS_NS::CStream*, bool, ISYS_NS::exports::Ext_Open_Options*, int, wchar_t const*, int*, int*, void**, int*, int, Error_Control_Block*) () from ./libISYSreaders.so
#12 in ISYS_NS::exports::IGR_Open_Stream_Ex(IGR_Stream*, int, unsigned short const*, int*, int*, void**, Error_Control_Block*) () from ./libISYSreaders.so
#13 in IGR_Open_Stream_Ex () from ./libISYS11df.so
#14 in processStream(std::string const&, tagTIGR_Stream*, bool, int, int, bool, std::ostream&, int, double) ()
#15 in processFile(std::string const&, int, int, bool, std::ostream&) ()
#16 in main ()
// libISYSreadershd image base : 0xF4AE6000
.text:F4FA1060 TextHtmlWriter::addDrawing(intermediate::common::IDrawing *) proc near
(...)
text:F4FA1AFB push 0A00000h ; unsigned int
.text:F4FA1B00 push 0 ; wchar_t *
.text:F4FA1B02 push eax ; this
.text:F4FA1B03 call ISYS_NS::CTemporaryStream::CTemporaryStream(wchar_t const*,uint) ; VULN OBJECT
.text:F4FA1B08 mov dword ptr [esp], 10h ; unsigned int
.text:F4FA1B0F call operator new(uint)
Further during ISYS_NS::LibraryHD::CDocument::~CDocument object destruction
inside the sub_F4FC12A0 function we can observe a call at address F4FC12FD which deallocates the vulnerable object:
sub_F4FC12A0
(...)
.text:F4FC12F7 sub esp, 0Ch
.text:F4FC12FA mov eax, [edx]
.text:F4FC12FC push edx
.text:F4FC12FD call dword ptr [eax+4]
.text:F4FC1300
.text:F4FC1300 i:
.text:F4FC1300 add esp, 10h
.text:F4FC1303
.text:F4FC1303 loc_F4FC1303: ; CODE XREF: sub_F4FC12A0+55↑j
.text:F4FC1303 sub esp, 0Ch
.text:F4FC1306 push esi
.text:F4FC1307 call std::_Rb_tree_increment(std::_Rb_tree_node_base *)
.text:F4FC130C mov esi, eax
.text:F4FC130E add esp, 10h
.text:F4FC1311 cmp eax, edi
.text:F4FC1313 jnz short loc_F4FC12F0
.text:F4FC1315
.text:F4FC1315 loc_F4FC1315: ; CODE XREF: sub_F4FC12A0+4A↑j
.text:F4FC1315 sub esp, 8
.text:F4FC1318 mov eax, [ebp+var_10]
.text:F4FC131B mov edx, [eax+8]
.text:F4FC131E push edx
.text:F4FC131F push eax
.text:F4FC1320 call sub_F4FC4650
.text:F4FC1325 mov eax, [ebp+arg_0]
.text:F4FC1328 add eax, 20h ; ' '
.text:F4FC132B mov [esp], eax
.text:F4FC132E call common::EscherDraw::closeCanvas(void)
Call stack for dealocation
#0 0xf60a6fdb in ISYS_NS::CStream::~CStream() () from ./libISYSshared.so
#1 0xf608ddee in ISYS_NS::CTemporaryStream::~CTemporaryStream() () from ./libISYSshared.so
#2 0xf4fb550f in ?? () from ./libISYSreadershd.so
#3 0xf4fc1300 in ?? () from ./libISYSreadershd.so
#4 0xf4fbb9a8 in ?? () from ./libISYSreadershd.so
#5 0xf4fa5da1 in ?? () from ./libISYSreadershd.so
#6 0xf52f4dd5 in ISYS_NS::LibraryHD::CDocument::~CDocument () from ./libISYSreadershd.so
#7 0xf52ece6b in ISYS_NS::LibraryHD::IGR_HDAPI_Open () from ./libISYSreadershd.so
#8 0xf5973302 in ?? () from ./libISYSreaders.so
#9 0xf597855d in ISYS_NS::exports::IGR_Open_File_FromStream () from ./libISYSreaders.so
#10 0xf7f405e3 in IGR_Open_Stream_Ex () from ./libISYS11df.so
#11 0x080590eb in ?? ()
#12 0x08061690 in ?? ()
#13 0x08068c27 in main_doc2text(ISYS_NS::CISYScommander::CResult*, void*) ()
#14 0xf617c73d in ISYS_NS::CISYScommander::CTool::execute(ISYS_NS::CISYScommander::CResult*) const () from ./libISYSshared.so
#15 0xf6188ff9 in bool ISYS_NS::CISYScommander::execute<char>(int, char**) () from ./libISYSshared.so
#16 0xf6185524 in ISYS_NS::CISYScommander::execute(int, char**) () from ./libISYSshared.so
#17 0x08054e88 in ?? ()
#18 0xf5af6637 in __libc_start_main (main=0x8054d40, argc=0x5, argv=0xffb96a24, init=0x807ebd0, fini=0x807ebc0, rtld_fini=0xf7f88880 <_dl_fini>, stack_end=0xffb96a1c) at ../csu/libc-start.c:291
#19 0x080531b1 in ?? ()
Next, few instruction below at F4FC132E a call to common::EscherDraw::closeCanvas method is made:
.text:F4FC1325 mov eax, [ebp+arg_0]
.text:F4FC1328 add eax, 20h ; ' '
.text:F4FC132B mov [esp], eax
.text:F4FC132E call common::EscherDraw::closeCanvas(void)
which internally as we could see on the Use After Free call stack listing calls ISYS_NS::CSkiaStreamBridge::write causing in the same way re-usage of the freed stream object.
An attacker who properly manipulates the heap state between object deallocation and its re-usage can easily turn this use after free vulnerability into arbitrary code execution.
==24951== Command: ./isys_doc2text --html --no-images -o /tmp/dump /home/icewall/Advisory/perceptive/malicous.docx
==24951==
[1] File type: Microsoft Word (25); Capabilities: 15 - /home/icewall/Advisory/perceptive/malicous.docx
==24951== Invalid read of size 8
==24951== at 0xA7F3DE8: ISYS_NS::CSkiaStreamBridge::write(void const*, unsigned long) (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so)
==24951== by 0xA67697F: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so)
==24951== by 0xA314735: png_write_sig (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so)
==24951== by 0xA32420A: png_write_info_before_PLTE (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so)
==24951== by 0xA324396: png_write_info (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so)
==24951== by 0xA6776CD: SkPNGImageEncoder::doEncode(SkWStream*, SkBitmap const&, bool const&, int, int, SkBitmap::Config, png_color_8_struct&, SkImageEncoderDetails const*) (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so)
==24951== by 0xA677B11: SkPNGImageEncoder::onEncode(SkWStream*, SkBitmap const&, int, SkImageEncoderDetails const*) (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so)
==24951== by 0xA67F318: SkImageEncoder::encodeStream(SkWStream*, SkBitmap const&, int, SkImageEncoderDetails const*) (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so)
==24951== by 0xA67F523: SkImageEncoder::EncodeStream(SkWStream*, SkBitmap const&, SkImageEncoder::Type, int, SkImageEncoderDetails const*) (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so)
==24951== by 0x9550EE2: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)
==24951== by 0x955168B: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)
==24951== by 0x9565EFD: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)
==24951== Address 0xada3ae0 is 0 bytes inside a block of size 112 free'd
==24951== at 0x4C2F24B: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==24951== by 0x52A32C2: ISYS_NS::CTemporaryStream::~CTemporaryStream() (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSshared.so)
==24951== by 0x994BC10: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)
==24951== by 0x9955173: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)
==24951== by 0x993A1EA: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)
==24951== by 0x9C3D345: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)
==24951== by 0x9C35E7E: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)
==24951== by 0x86C44A0: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreaders.so)
==24951== by 0x86C9196: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreaders.so)
==24951== by 0x4E3F87A: IGR_Open_Stream_Ex (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYS11df.so)
==24951== by 0x416BE6: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/isys_doc2text)
==24951== by 0x41EB99: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/isys_doc2text)
==24951== Block was alloc'd at
==24951== at 0x4C2E0EF: operator new(unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==24951== by 0x993B782: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)
==24951== by 0x993F7A0: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)
==24951== by 0x9943B6A: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)
==24951== by 0x9949E52: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)
==24951== by 0x994B979: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)
==24951== by 0x9951A44: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)
==24951== by 0x9C38AA4: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)
==24951== by 0x9C3B2C2: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)
==24951== by 0x9C3C3FB: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)
==24951== by 0x9C35D75: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)
==24951== by 0x86C44A0: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreaders.so)
==24951==
pure virtual method called
terminate called without an active exception
==24951==
==24951== Process terminating with default action of signal 6 (SIGABRT)
==24951== at 0x800C428: raise (raise.c:54)
==24951== by 0x800E029: abort (abort.c:89)
==24951== by 0x77C584C: __gnu_cxx::__verbose_terminate_handler() (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==24951== by 0x77C36B5: ??? (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==24951== by 0x77C3700: std::terminate() (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==24951== by 0x77C423E: __cxa_pure_virtual (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==24951== by 0xA7F3DED: ISYS_NS::CSkiaStreamBridge::write(void const*, unsigned long) (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so)
==24951== by 0xA67697F: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so)
==24951== by 0xA314735: png_write_sig (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so)
==24951== by 0xA32420A: png_write_info_before_PLTE (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so)
==24951== by 0xA324396: png_write_info (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so)
==24951== by 0xA6776CD: SkPNGImageEncoder::doEncode(SkWStream*, SkBitmap const&, bool const&, int, int, SkBitmap::Config, png_color_8_struct&, SkImageEncoderDetails const*) (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so)
2018-02-22 - Vendor Disclosure
2018-03-22- Vendor patched
2018-04-26 - Public Release
Discovered by Marcin 'Icewall' Noga of Cisco Talos.