Talos Vulnerability Report

TALOS-2018-0528

Hyland Perceptive Document Filters OpenDocument to JPEG conversion SkCanvas Code Execution vulnerability

April 26, 2018
CVE Number

CVE-2018-3845

Summary

An exploitable double free exists in the OpenDocument to JPEG conversion functionality of the Hyland Perspective Document Filters version 11.4.0.2647. A crafted OpenDocument document can lead to a SkCanvas object double free resulting in direct code execution.

Tested Versions

Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux

Product URLs

https://www.hyland.com/en/perceptive#docfilters

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-415: Double Free

Details

This vulnerability is present in the Hyland Document filter conversion which is used for big data, eDiscovery, DLP, email archival, content management, business intelligence and intelligent capture services.  

It can convert common formats such as Microsoft's document formats into more usable and easily viewed formats. There is a vulnerability in the conversion process of an OpenDocument document to JPEG. A specially crafted OpenDocument file can lead to a SkCanvas object double free and remote code execution. Let’s investigate this vulnerability. After we attempt to convert a malicious OpenDocument using the Hyland library we see the following state:

//page heap is turned on +hpa
windbg.exe isys_doc2text.exe --jpg malicious_opendocument

(4c0.1e70): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00f5e788 ebx=00000000 ecx=10f06f00 edx=02000000 esi=1056ef98 edi=10570ff0
eip=6235cfd1 esp=00f5e770 ebp=00f5e794 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210206
ISYSreadershd!IGR_ImageExport+0xe7f71:
6235cfd1 8b01            mov     eax,dword ptr [ecx]  ds:002b:10f06f00=????????

Showing more context

0:000> u eip-5
ISYSreadershd!IGR_ImageExport+0xe7f6c:
6235cfcc 0c85            or      al,85h
6235cfce c9              leave
6235cfcf 7406            je      ISYSreadershd!IGR_ImageExport+0xe7f77 (6235cfd7)
6235cfd1 8b01            mov     eax,dword ptr [ecx]
6235cfd3 6a01            push    1
6235cfd5 ff10            call    dword ptr [eax]
6235cfd7 8b7e08          mov     edi,dword ptr [esi+8]
6235cfda 85ff            test    edi,edi

We see an obvious attempt of a virtual function call on a previously freed object. Further examination confirms our assumptions:

0:000> !heap -p -a ecx
    address 10f06f00 found in
    _DPH_HEAP_ROOT @ 78f1000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                   12da9af8:         10f06000             2000
    6329ab22 verifier!AVrfDebugPageHeapFree+0x000000c2
    77045918 ntdll!RtlDebugFreeHeap+0x0000003c
    76ff5be1 ntdll!RtlpFreeHeap+0x00056161
    76f9fa0d ntdll!RtlFreeHeap+0x000007cd
    62676591 ISYSreadershd!IGR_ImageExport+0x00401531
    62640792 ISYSreadershd!IGR_ImageExport+0x003cb732
    623d973c ISYSreadershd!IGR_ImageExport+0x001646dc
    61e0eb4c ISYSreadershd+0x0003eb4c
    622a628e ISYSreadershd!IGR_ImageExport+0x0003122e
    622a5ed3 ISYSreadershd!IGR_ImageExport+0x00030e73
    6233d6c4 ISYSreadershd!IGR_ImageExport+0x000c8664
    622ac13f ISYSreadershd!IGR_ImageExport+0x000370df
    622ac3c0 ISYSreadershd!IGR_ImageExport+0x00037360
    622acb3b ISYSreadershd!IGR_ImageExport+0x00037adb
    622abe79 ISYSreadershd!IGR_ImageExport+0x00036e19
    622673e4 ISYSreadershd!ISYS_GetHeapHandle+0x000ea7e4
    62d441fa isysreaders+0x001d41fa
    631cef8f ISYS11df!IGR_Render_Page+0x0000005f
    0037a2c8 isys_doc2text+0x0002a2c8
    003771fb isys_doc2text+0x000271fb
    0037612f isys_doc2text+0x0002612f
    003a4c52 isys_doc2text+0x00054c52
    003a2cc5 isys_doc2text+0x00052cc5
    0037cf76 isys_doc2text+0x0002cf76
    00457f44 isys_doc2text+0x00107f44
    751c8654 KERNEL32!BaseThreadInitThunk+0x00000024
    76fc4a77 ntdll!__RtlUserThreadStart+0x0000002f
    76fc4a47 ntdll!_RtlUserThreadStart+0x0000001b

Checking the Linux version we can obtain a bit more information from partial-symbols :

image base :
0xf4a9b000 0xf54c5000 r-xp      /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so

[----------------------------------registers-----------------------------------]
EAX: 0xf5c45968 --> 0xf5c45960 --> 0xf5c45958 --> 0x8a0f000 --> 0x0 
EBX: 0xf54dff0c --> 0xa42fcc 
ECX: 0x8a17e1c --> 0x0 
EDX: 0x8a17c08 --> 0xf5c45968 --> 0xf5c45960 --> 0xf5c45958 --> 0x8a0f000 --> 0x0 
ESI: 0x8a17e18 --> 0xf54da798 --> 0xf51e89d0 --> 0x83e58955 
EDI: 0x8a16300 --> 0xf54da780 --> 0xf51f0770 --> 0x57e58955 
EBP: 0xffa1e4a8 --> 0xffa1e4c8 --> 0xffa1e4e8 --> 0xffa1e508 --> 0xffa1e528 --> 0xffa1e578 (--> ...)
ESP: 0xffa1e480 --> 0x8a17c08 --> 0xf5c45968 --> 0xf5c45960 --> 0xf5c45958 --> 0x8a0f000 (--> ...)
EIP: 0xf51f06c0 --> 0x830450ff
EFLAGS: 0x296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xf51f06ba:  sub    esp,0xc
   0xf51f06bd:  mov    eax,DWORD PTR [edx]
   0xf51f06bf:  push   edx
=> 0xf51f06c0:  call   DWORD PTR [eax+0x4]
   0xf51f06c3:  add    esp,0x10
   0xf51f06c6:  mov    esi,DWORD PTR [edi+0x4]
   0xf51f06c9:  test   esi,esi
   0xf51f06cb:  je     0xf51f06e1
Guessed arguments:
arg[0]: 0x8a17c08 --> 0xf5c45968 --> 0xf5c45960 --> 0xf5c45958 --> 0x8a0f000 --> 0x0 



//Double Free call stack
#0  0xf51f06bf in ISYS_NS::CGdiCanvasImpl::~CGdiCanvasImpl () from ./libISYSreadershd.so
#1  0xf51e89e9 in ?? () from ./libISYSreadershd.so
#2  0xf4b4b028 in ?? () from ./libISYSreadershd.so
#3  0xf51d9b1f in ISYS_NS::CGdiCanvas::~CGdiCanvas() () from ./libISYSreadershd.so
#4  0xf51e8829 in ?? () from ./libISYSreadershd.so
#5  0xf51f01e8 in ISYS_NS::CGdiBitmapImpl::~CGdiBitmapImpl() () from ./libISYSreadershd.so
#6  0xf51e88e9 in ?? () from ./libISYSreadershd.so
#7  0xf51db388 in ?? ISYS_NS::CGdiBitmap::~CGdiBitmap() from ./libISYSreadershd.so
#8  0xf5227233 in ?? () from ./libISYSreadershd.so
#9  0xf50b3221 in ?? () from ./libISYSreadershd.so
#10 0xf522172d in ?? () from ./libISYSreadershd.so
#11 0xf51a621f in ?? () from ./libISYSreadershd.so
#12 0xf518a8bd in ?? () from ./libISYSreadershd.so
#13 0xf591c6c3 in ?? () from ./libISYSreaders.so
#14 0xf7ef4c28 in IGR_Close_Canvas () from ./libISYS11df.so
#15 0x0805bda0 in ?? ()
#16 0x08061690 in ?? ()
#17 0x08068c27 in main_doc2text(ISYS_NS::CISYScommander::CResult*, void*) ()
#18 0xf613173d in ISYS_NS::CISYScommander::CTool::execute(ISYS_NS::CISYScommander::CResult*) const () from ./libISYSshared.so
#19 0xf613dff9 in bool ISYS_NS::CISYScommander::execute<char>(int, char**) () from ./libISYSshared.so
#20 0xf613a524 in ISYS_NS::CISYScommander::execute(int, char**) () from ./libISYSshared.so
#21 0x08054e88 in ?? ()
#22 0xf5aab637 in __libc_start_main (main=0x8054d40, argc=0x5, argv=0xffa201e4, init=0x807ebd0, fini=0x807ebc0, rtld_fini=0xf7f3d880 <_dl_fini>, stack_end=0xffa201dc) at ../csu/libc-start.c:291
#23 0x080531b1 in ?? ()

Tracking this object’s life cycle we can see its creation inside ISYS_NS::CGdiCanvasImpl::CGdiCanvasImpl method:

Object allocation call stack

#0  0xf51f0977 in ISYS_NS::CGdiCanvasImpl () from ./libISYSreadershd.so
#1  0xf51e65d0 in ?? () from ./libISYSreadershd.so
#2  0xf5229bf4 in ?? () from ./libISYSreadershd.so
#3  0xf50b9f46 in ?? () from ./libISYSreadershd.so
#4  0xf50b3539 in ?? () from ./libISYSreadershd.so
#5  0xf5196e5d in ?? () from ./libISYSreadershd.so
#6  0xf591c595 in ?? () from ./libISYSreaders.so
#7  0xf7ef4bda in IGR_Render_Page () from ./libISYS11df.so
#8  0x0805bbd8 in ?? ()
#9  0x08061690 in ?? ()
#10 0x08068c27 in main_doc2text(ISYS_NS::CISYScommander::CResult*, void*) ()
#11 0xf613173d in ISYS_NS::CISYScommander::CTool::execute(ISYS_NS::CISYScommander::CResult*) const () from ./libISYSshared.so
#12 0xf613dff9 in bool ISYS_NS::CISYScommander::execute<char>(int, char**) () from ./libISYSshared.so
#13 0xf613a524 in ISYS_NS::CISYScommander::execute(int, char**) () from ./libISYSshared.so
#14 0x08054e88 in ?? ()
#15 0xf5aab637 in __libc_start_main (main=0x8054d40, argc=0x5, argv=0xffa201e4, init=0x807ebd0, fini=0x807ebc0, rtld_fini=0xf7f3d880 <_dl_fini>, stack_end=0xffa201dc) at ../csu/libc-start.c:291
#16 0x080531b1 in ?? ()



.text:F51F095C                 push    0FCh            ; unsigned int
.text:F51F0961                 call    operator new(uint)
.text:F51F0966                 mov     esi, eax
.text:F51F0968                 pop     ecx
.text:F51F0969                 pop     eax
.text:F51F096A                 push    edi             ; SkBitmap *
.text:F51F096B                 push    esi             ; this
.text:F51F096C                 call    SkCanvas::SkCanvas(SkBitmap const&)
.text:F51F0971                 add     esp, 10h
.text:F51F0974                 mov     edx, [ebp+arg_0]
.text:F51F0977                 mov     [edx+8], esi

Further inside the sub_F511F5F0 function we can observe a call at address F511FCE3 to SkCanvas::~SkCanvas virtual destructor which deallocates the vulnerable object:

sub_F511F5F0
(...)
.text:F511FCD7                 sub     esp, 0Ch
.text:F511FCDA                 mov     edx, [ebp+var_164]
.text:F511FCE0                 mov     eax, [edx]
.text:F511FCE2                 push    edx
.text:F511FCE3                 call    dword ptr [eax+4] ; SkCanvas::~SkCanvas
.text:F511FCE6                 add     esp, 10h


Call stack for dealocation

#0  0xf46f6bed in SkCanvas::~SkCanvas() () from ./libISYSgraphics.so
#1  0xf511fce6 in ?? () from ./libISYSreadershd.so
#2  0xf5083569 in ?? () from ./libISYSreadershd.so
#3  0xf50832e4 in ?? () from ./libISYSreadershd.so
#4  0xf508331d in ?? () from ./libISYSreadershd.so
#5  0xf50833bb in ?? () from ./libISYSreadershd.so
#6  0xf5224987 in ?? () from ./libISYSreadershd.so
#7  0xf50b4af7 in ?? () from ./libISYSreadershd.so
#8  0xf50b4cdd in ?? () from ./libISYSreadershd.so
#9  0xf50ba2d1 in ?? () from ./libISYSreadershd.so
#10 0xf50b3539 in ?? () from ./libISYSreadershd.so
#11 0xf5196e5d in ?? () from ./libISYSreadershd.so
#12 0xf591c595 in ?? () from ./libISYSreaders.so
#13 0xf7ef4bda in IGR_Render_Page () from ./libISYS11df.so
#14 0x0805bbd8 in ?? ()
#15 0x08061690 in ?? ()
#16 0x08068c27 in main_doc2text(ISYS_NS::CISYScommander::CResult*, void*) ()
#17 0xf613173d in ISYS_NS::CISYScommander::CTool::execute(ISYS_NS::CISYScommander::CResult*) const () from ./libISYSshared.so
#18 0xf613dff9 in bool ISYS_NS::CISYScommander::execute<char>(int, char**) () from ./libISYSshared.so
#19 0xf613a524 in ISYS_NS::CISYScommander::execute(int, char**) () from ./libISYSshared.so
#20 0x08054e88 in ?? ()
#21 0xf5aab637 in __libc_start_main (main=0x8054d40, argc=0x5, argv=0xffa201e4, init=0x807ebd0, fini=0x807ebc0, rtld_fini=0xf7f3d880 <_dl_fini>, stack_end=0xffa201dc) at ../csu/libc-start.c:291
#22 0x080531b1 in ?? ()

Next, during destruction of ISYS_NS::CGdiCanvasImpl::~CGdiCanvasImpl object a call to SkCanvas::~SkCanvas virtual destructor is made again:

.text:F51F0690 ISYS_NS::CGdiCanvasImpl::~CGdiCanvasImpl() proc near
.text:F51F0690 
(...)
.text:F51F06BA                 sub     esp, 0Ch
.text:F51F06BD                 mov     eax, [edx]
.text:F51F06BF                 push    edx
.text:F51F06C0                 call    dword ptr [eax+4] ; SkCanvas::~SkCanvas()
.text:F51F06C3                 add     esp, 10h


Call stack for second free
#0  0xf51f06c0 in ?? () from ./libISYSreadershd.so
#1  0xf51e89e9 in ?? () from ./libISYSreadershd.so
#2  0xf4b4b028 in ?? () from ./libISYSreadershd.so
#3  0xf51d9b1f in ?? () from ./libISYSreadershd.so
#4  0xf51e8829 in ?? () from ./libISYSreadershd.so
#5  0xf51f01e8 in ?? () from ./libISYSreadershd.so
#6  0xf51e88e9 in ?? () from ./libISYSreadershd.so
#7  0xf51db388 in ?? () from ./libISYSreadershd.so
#8  0xf5227233 in ?? () from ./libISYSreadershd.so
#9  0xf50b3221 in ?? () from ./libISYSreadershd.so
#10 0xf522172d in ?? () from ./libISYSreadershd.so
#11 0xf51a621f in ?? () from ./libISYSreadershd.so
#12 0xf518a8bd in ?? () from ./libISYSreadershd.so
#13 0xf591c6c3 in ?? () from ./libISYSreaders.so
#14 0xf7ef4c28 in IGR_Close_Canvas () from ./libISYS11df.so
#15 0x0805bda0 in ?? ()
#16 0x08061690 in ?? ()
#17 0x08068c27 in main_doc2text(ISYS_NS::CISYScommander::CResult*, void*) ()
#18 0xf613173d in ISYS_NS::CISYScommander::CTool::execute(ISYS_NS::CISYScommander::CResult*) const () from ./libISYSshared.so
#19 0xf613dff9 in bool ISYS_NS::CISYScommander::execute<char>(int, char**) () from ./libISYSshared.so
#20 0xf613a524 in ISYS_NS::CISYScommander::execute(int, char**) () from ./libISYSshared.so
#21 0x08054e88 in ?? ()
#22 0xf5aab637 in __libc_start_main (main=0x8054d40, argc=0x5, argv=0xffa201e4, init=0x807ebd0, fini=0x807ebc0, rtld_fini=0xf7f3d880 <_dl_fini>, stack_end=0xffa201dc) at ../csu/libc-start.c:291
#23 0x080531b1 in ?? () 

resulting in the double free of SkCanvas object. An attacker who properly manipulates the heap state between the object's first deallocation and its second deallocation can easily turn this double free vulnerability into arbitrary code execution.

Crash Information

==6702== Command: ./isys_doc2text --jpg -o /tmp ./storage/7afffeb388f9aebf11226b95328be2f7
==6702== 
[1] File type: Open Document Format (76); Capabilities: 7 - ./storage/7afffeb388f9aebf11226b95328be2f7
[00000000] IGR_RENDER_PAGE failed on ./storage/7afffeb388f9aebf11226b95328be2f7 with code 4 [Could not read ZIP file entry]
==6702== Invalid read of size 4
==6702==    at 0x78956BD: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x788D9E8: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x71F0027: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x787EB1E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x788D828: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x78951E7: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x788D8E8: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x7880387: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x78CC232: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x7758220: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x78C672C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x784B21E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==  Address 0x6c69890 is 0 bytes inside a block of size 252 free'd
==6702==    at 0x402D7B8: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==6702==    by 0x8D49BF4: SkCanvas::~SkCanvas() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSgraphics.so)
==6702==    by 0x77C4CE5: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x7728568: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x77282E3: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x772831C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x77283BA: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x78C9986: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x7759AF6: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x7759CDC: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x775F2D0: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x7758538: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==  Block was alloc'd at
==6702==    at 0x402C6BC: operator new(unsigned int) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==6702==    by 0x7895965: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x788B5CF: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x78CEBF3: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x775EF45: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x7758538: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x783BE5C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x67BE594: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreaders.so)
==6702==    by 0x403CBD9: IGR_Render_Page (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYS11df.so)
==6702==    by 0x805BBD7: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text)
==6702==    by 0x806168F: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text)
==6702==    by 0x8068C26: main_doc2text(ISYS_NS::CISYScommander::CResult*, void*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text)
==6702== 
==6702== Invalid write of size 4
==6702==    at 0x8D2A02F: SkRefCntBase::~SkRefCntBase() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSgraphics.so)
==6702==    by 0x78956C2: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x788D9E8: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x71F0027: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x787EB1E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x788D828: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x78951E7: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x788D8E8: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x7880387: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x78CC232: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x7758220: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x78C672C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==  Address 0x6c69890 is 0 bytes inside a block of size 252 free'd
==6702==    at 0x402D7B8: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==6702==    by 0x8D49BF4: SkCanvas::~SkCanvas() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSgraphics.so)
==6702==    by 0x77C4CE5: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x7728568: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x77282E3: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x772831C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x77283BA: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x78C9986: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x7759AF6: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x7759CDC: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x775F2D0: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x7758538: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==  Block was alloc'd at
==6702==    at 0x402C6BC: operator new(unsigned int) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==6702==    by 0x7895965: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x788B5CF: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x78CEBF3: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x775EF45: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x7758538: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x783BE5C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x67BE594: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreaders.so)
==6702==    by 0x403CBD9: IGR_Render_Page (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYS11df.so)
==6702==    by 0x805BBD7: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text)
==6702==    by 0x806168F: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text)
==6702==    by 0x8068C26: main_doc2text(ISYS_NS::CISYScommander::CResult*, void*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text)
==6702== 
==6702== Invalid free() / delete / delete[] / realloc()
==6702==    at 0x402D7B8: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==6702==    by 0x8D2A036: SkRefCntBase::~SkRefCntBase() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSgraphics.so)
==6702==    by 0x78956C2: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x788D9E8: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x71F0027: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x787EB1E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x788D828: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x78951E7: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x788D8E8: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x7880387: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x78CC232: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x7758220: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==  Address 0x6c69890 is 0 bytes inside a block of size 252 free'd
==6702==    at 0x402D7B8: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==6702==    by 0x8D49BF4: SkCanvas::~SkCanvas() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSgraphics.so)
==6702==    by 0x77C4CE5: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x7728568: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x77282E3: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x772831C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x77283BA: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x78C9986: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x7759AF6: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x7759CDC: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x775F2D0: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x7758538: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==  Block was alloc'd at
==6702==    at 0x402C6BC: operator new(unsigned int) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==6702==    by 0x7895965: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x788B5CF: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x78CEBF3: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x775EF45: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x7758538: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x783BE5C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==6702==    by 0x67BE594: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreaders.so)
==6702==    by 0x403CBD9: IGR_Render_Page (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYS11df.so)
==6702==    by 0x805BBD7: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text)
==6702==    by 0x806168F: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text)
==6702==    by 0x8068C26: main_doc2text(ISYS_NS::CISYScommander::CResult*, void*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text)
==6702== 
[1] Returned 3 page(s)
==6702== 
==6702== HEAP SUMMARY:
==6702==     in use at exit: 21,065 bytes in 12 blocks
==6702==   total heap usage: 64,861 allocs, 64,850 frees, 42,305,231 bytes allocated
==6702== 
==6702== LEAK SUMMARY:
==6702==    definitely lost: 0 bytes in 0 blocks
==6702==    indirectly lost: 0 bytes in 0 blocks
==6702==      possibly lost: 0 bytes in 0 blocks
==6702==    still reachable: 21,065 bytes in 12 blocks
==6702==         suppressed: 0 bytes in 0 blocks
==6702== Rerun with --leak-check=full to see details of leaked memory
==6702== 
==6702== For counts of detected and suppressed errors, rerun with: -v
==6702== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)

Timeline

2018-02-22 - Vendor Disclosure
2018-03-22 - Vendor patched
2018-04-26 - Public Release

Credit

Discovered by Marcin 'Icewall' Noga of Cisco Talos.