I have lost a day (I don't have all this patience, one hour is already too much for me) without understanding how to load a damned custom pfb file so at the moment I don't know if this bug is really exploitable or not and in any case I don't want to lost other time on it.
From psprint/source/helper/helper.cxx in OpenOffice 2.4.0:
Code:
bool psp::convertPfbToPfa( ::osl::File& rInFile, ::osl::File& rOutFile )
{
...
while( bSuccess && ! bEof )
{
// read leading bytes
bEof = ! rInFile.read( buffer, 6, nRead ) && nRead == 6 ? false : true;
unsigned int nType = buffer[ 1 ];
unsigned int nBytesToRead = buffer[2] | buffer[3] << 8 | buffer[4] << 16 | buffer[5] << 24;
if( buffer[0] != 0x80 ) // test for pfb m_agic number
...
else if( nType == 1 || nType == 2 )
{
unsigned char* pBuffer = new unsigned char[ nBytesToRead+1 ];
if( ! rInFile.read( pBuffer, nBytesToRead, nRead ) && nRead == nBytesToRead )
psprint is a function for printing on Unix (so Windows doesn't use it), where the input file is first converted to PS (postscript) and then printed in some way.
If nBytesToRead is equal to 0xffffffff will be allocated 0 bytes of memory but the program will read max 0xffffffff bytes of data overflowing the allocated buffer.
In attachment there is a formatted pfb file which should test the bug, if it can be exploited naturally.
So I repeat that is possible that this part of the code cannot be reached or other things and so the bug for the moment exists only in theory.
As usual: no proof = no bug
