ericmckean / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Adobe Reader X and XI for Windows unmapped memory read in AGM.dll #146

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
The following access violation was observed in Adobe Reader X and XI for 
Windows:

(a00.a90): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=0053dd14 ecx=8ba78ec1 edx=00000101 esi=0bf12ccc edi=000001aa
eip=691cf678 esp=0053dca4 ebp=0ba78ec8 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
AGM!AGMTerminate+0x15699f:
691cf678 8a19            mov     bl,byte ptr [ecx]          ds:0023:8ba78ec1=??
0:000> dd ecx
8ba78ec1  ???????? ???????? ???????? ????????
8ba78ed1  ???????? ???????? ???????? ????????
8ba78ee1  ???????? ???????? ???????? ????????
8ba78ef1  ???????? ???????? ???????? ????????
8ba78f01  ???????? ???????? ???????? ????????
8ba78f11  ???????? ???????? ???????? ????????
8ba78f21  ???????? ???????? ???????? ????????
8ba78f31  ???????? ???????? ???????? ????????
0:000> u
AGM!AGMTerminate+0x15699f:
691cf678 8a19            mov     bl,byte ptr [ecx]
691cf67a 881e            mov     byte ptr [esi],bl
691cf67c 46              inc     esi
691cf67d 8974241c        mov     dword ptr [esp+1Ch],esi
691cf681 8b74242c        mov     esi,dword ptr [esp+2Ch]
691cf685 40              inc     eax
691cf686 41              inc     ecx
691cf687 3b4640          cmp     eax,dword ptr [esi+40h]
0:000> !heap -p -a esi
    address 0bf12ccc found in
    _DPH_HEAP_ROOT @ 4b11000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                 ae832d8:          bf12428            2abd4 -          bf12000            2c000
    72b98e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
    76e55ede ntdll!RtlDebugAllocateHeap+0x00000030
    76e1a40a ntdll!RtlpAllocateHeap+0x000000c4
    76de5ae0 ntdll!RtlAllocateHeap+0x0000023a
    7187a792 vrfcore!VfCoreRtlAllocateHeap+0x00000016
    71243db8 MSVCR90!malloc+0x00000079
    65a0deb2 AcroRd32_65940000!AX_ASRamFileSysSetLimitKB+0x000a4e0a
0:000> k
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
0053dd3c 691ceb06 AGM!AGMTerminate+0x15699f
0053dd44 691ceb2a AGM!AGMTerminate+0x155e2d
0053dd84 6919650a AGM!AGMTerminate+0x155e51
0053ddd4 6904c422 AGM!AGMTerminate+0x11d831
0053ddf4 69021657 AGM!AGMInitialize+0x41526
0053de24 69021fa8 AGM!AGMInitialize+0x1675b
00000000 00000000 AGM!AGMInitialize+0x170ac

Notes:

- Reproduces on Adobe Reader X (10.1.12) and Adobe Reader XI (11.0.09) for 
Windows, on Windows 7, with Application Verifier enabled.

- The “ECX” register points into an unmapped portion of the address space.

- Attached samples: signal_sigsegv_f795e240_8119_6458.pdf (crashing file), 
6458.pdf (original file).

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without 
a broadly available patch, then the bug report will automatically become 
visible to the public.

Original issue reported on code.google.com by mjurc...@google.com on 30 Oct 2014 at 2:13

Attachments:

GoogleCodeExporter commented 9 years ago
Due to Google Code attachment quota, the original 6458.pdf file is available 
from Drive: 
https://drive.google.com/a/google.com/file/d/0B0tJqpS3FKtCaEVBWTNPNE05TnM/view?u
sp=sharing.

Original comment by mjurc...@google.com on 30 Oct 2014 at 2:39

GoogleCodeExporter commented 9 years ago

Original comment by mjurc...@google.com on 30 Oct 2014 at 5:22

GoogleCodeExporter commented 9 years ago

Original comment by mjurc...@google.com on 31 Oct 2014 at 10:22

GoogleCodeExporter commented 9 years ago
http://helpx.adobe.com/security/products/reader/apsb14-28.html

Original comment by mjurc...@google.com on 10 Dec 2014 at 1:00