Hancom Office 2020 Hword Docx XML parsing heap underflow vulnerability

We discussed this vulnerability during Episode 158 on 11 October 2022

When a docx parser encounters an end element, it assumes the pointer to the start element is already available and attempts to operate on it, leading to an out of bounds access immediate before the buffer.

What Talos found here was that when Hancom Office 2020 Hword was provided a malformed docx with a </w:p> before any opening <w:p> tag the parser would assume opening tag was already parsed and attempt to access it, then call one of the object’s methods. With some heap grooming an attacker could potential gain control of the pointer in memory where Hword expects the start object to be and obtain an arbitrary call primitive.