Bug#876001: CVE-2017-14226

[Salvatore Bonaccorso <carnil@debian.org>]

for reference respective traces:

0.10.1-5:

ASAN:DEADLYSIGNAL
=================================================================
==19356==ERROR: AddressSanitizer: SEGV on unknown address 0x55959d2ac260 (pc 0x55959d04d55f bp 0x7ffcf9f1c3c0 sp 0x7ffcf9f1c368 T0)
==19356==The signal is caused by a WRITE memory access.
    #0 0x55959d04d55e in WPXTableList::WPXTableList(WPXTableList const&) /root/libwpd-0.10.1/src/lib/WPXTable.cpp:169
    #1 0x55959d043484 in WPXHeaderFooter::getTableList() const /root/libwpd-0.10.1/src/lib/WPXPageSpan.h:66
    #2 0x55959d043484 in WP5StylesListener::insertBreak(unsigned char) /root/libwpd-0.10.1/src/lib/WP5StylesListener.cpp:94
    #3 0x55959d0414f3 in WP5Parser::parseDocument(librevenge::RVNGInputStream*, WPXEncryption*, WP5Listener*) /root/libwpd-0.10.1/src/lib/WP5Parser.cpp:102
    #4 0x55959d04162f in WP5Parser::parseSubDocument(librevenge::RVNGTextInterface*) /root/libwpd-0.10.1/src/lib/WP5Parser.cpp:234
    #5 0x55959d037c2a in libwpd::WPDocument::parseSubDocument(librevenge::RVNGInputStream*, librevenge::RVNGTextInterface*, libwpd::WPDFileFormat) /root/libwpd-0.10.1/src/lib/WPDocument.cpp:460
    #6 0x55959d053637 in WP3ContentListener::insertWP51Table(double, double, double, double, unsigned char, unsigned char, unsigned short, WP3SubDocument const*, WP3SubDocument const*) /root/libwpd-0.10.1/src/lib/WP3ContentListener.cpp:867
    #7 0x55959d03f45b in WP3WindowGroup::parse(WP3Listener*) /root/libwpd-0.10.1/src/lib/WP3WindowGroup.cpp:144
    #8 0x55959d03c431 in WP3Parser::parseDocument(librevenge::RVNGInputStream*, WPXEncryption*, WP3Listener*) /root/libwpd-0.10.1/src/lib/WP3Parser.cpp:107
    #9 0x55959d03c492 in WP3Parser::parse(librevenge::RVNGInputStream*, WPXEncryption*, WP3Listener*) /root/libwpd-0.10.1/src/lib/WP3Parser.cpp:76
    #10 0x55959d03c887 in WP3Parser::parse(librevenge::RVNGTextInterface*) /root/libwpd-0.10.1/src/lib/WP3Parser.cpp:153
    #11 0x55959d037ead in libwpd::WPDocument::parse(librevenge::RVNGInputStream*, librevenge::RVNGTextInterface*, char const*) /root/libwpd-0.10.1/src/lib/WPDocument.cpp:345
    #12 0x55959d037560 in main /root/libwpd-0.10.1/src/conv/html/wpd2html.cpp:116
    #13 0x7f0b7533d2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #14 0x55959d037719 in _start (/root/libwpd-0.10.1/src/conv/html/wpd2html+0x10719)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/libwpd-0.10.1/src/lib/WPXTable.cpp:169 in WPXTableList::WPXTableList(WPXTableList const&)
==19356==ABORTING

0.10.0-2:

ASAN:DEADLYSIGNAL
=================================================================
==19364==ERROR: AddressSanitizer: SEGV on unknown address 0x563045443b58 (pc 0x5630451e51c3 bp 0x7ffe20d01590 sp 0x7ffe20d01538 T0)
==19364==The signal is caused by a WRITE memory access.
    #0 0x5630451e51c2 in WPXTableList::WPXTableList(WPXTableList const&) /root/source-libwpd/libwpd-0.10.0/src/lib/WPXTable.cpp:169
    #1 0x5630451db304 in WPXHeaderFooter::getTableList() const /root/source-libwpd/libwpd-0.10.0/src/lib/WPXPageSpan.h:66
    #2 0x5630451db304 in WP5StylesListener::insertBreak(unsigned char) /root/source-libwpd/libwpd-0.10.0/src/lib/WP5StylesListener.cpp:94
    #3 0x5630451d9583 in WP5Parser::parseDocument(librevenge::RVNGInputStream*, WPXEncryption*, WP5Listener*) /root/source-libwpd/libwpd-0.10.0/src/lib/WP5Parser.cpp:102
    #4 0x5630451d96bf in WP5Parser::parseSubDocument(librevenge::RVNGTextInterface*) /root/source-libwpd/libwpd-0.10.0/src/lib/WP5Parser.cpp:234
    #5 0x5630451cfc72 in libwpd::WPDocument::parseSubDocument(librevenge::RVNGInputStream*, librevenge::RVNGTextInterface*, libwpd::WPDFileFormat) /root/source-libwpd/libwpd-0.10.0/src/lib/WPDocument.cpp:452
    #6 0x5630451eb317 in WP3ContentListener::insertWP51Table(double, double, double, double, unsigned char, unsigned char, unsigned short, WP3SubDocument const*, WP3SubDocument const*) /root/source-libwpd/libwpd-0.10.0/src/lib/WP3ContentListener.cpp:867
    #7 0x5630451d74db in WP3WindowGroup::parse(WP3Listener*) /root/source-libwpd/libwpd-0.10.0/src/lib/WP3WindowGroup.cpp:144
    #8 0x5630451d4491 in WP3Parser::parseDocument(librevenge::RVNGInputStream*, WPXEncryption*, WP3Listener*) /root/source-libwpd/libwpd-0.10.0/src/lib/WP3Parser.cpp:107
    #9 0x5630451d44f2 in WP3Parser::parse(librevenge::RVNGInputStream*, WPXEncryption*, WP3Listener*) /root/source-libwpd/libwpd-0.10.0/src/lib/WP3Parser.cpp:76
    #10 0x5630451d48e7 in WP3Parser::parse(librevenge::RVNGTextInterface*) /root/source-libwpd/libwpd-0.10.0/src/lib/WP3Parser.cpp:153
    #11 0x5630451cfefd in libwpd::WPDocument::parse(librevenge::RVNGInputStream*, librevenge::RVNGTextInterface*, char const*) /root/source-libwpd/libwpd-0.10.0/src/lib/WPDocument.cpp:340
    #12 0x5630451cf600 in main /root/source-libwpd/libwpd-0.10.0/src/conv/html/wpd2html.cpp:112
    #13 0x7f757c8b32e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #14 0x5630451cf7b9 in _start (/root/source-libwpd/libwpd-0.10.0/src/conv/html/wpd2html+0x107b9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/source-libwpd/libwpd-0.10.0/src/lib/WPXTable.cpp:169 in WPXTableList::WPXTableList(WPXTableList const&)
==19364==ABORTING

attaching the reproducer file in case https://bugzilla.redhat.com/show_bug.cgi?id=1489337 disappers.

Regards,
Salvatore

Attachment: poc.xz
Description: application/xz