ganado / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Adobe Reader X for Windows out-of-bounds read in CoolType.dll #147

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
The following access violation was observed in Adobe Reader X for Windows:

(11e8.1618): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=12822dfc ebx=12824000 ecx=00000018 edx=00000000 esi=12822dec edi=00000008
eip=6a262b9d esp=0013da60 ebp=0013da98 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00050202
CoolType!CTInit+0x27279:
6a262b9d 8a1b            mov     bl,byte ptr [ebx]          ds:0023:12824000=??
0:000> !heap -p -a ebx
    address 12824000 found in
    _DPH_HEAP_ROOT @ 4cc1000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                127a08bc:         128141d8             fe28 -         12814000            11000
    6b508e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
    76fb5ede ntdll!RtlDebugAllocateHeap+0x00000030
    76f7a40a ntdll!RtlpAllocateHeap+0x000000c4
    76f45ae0 ntdll!RtlAllocateHeap+0x0000023a
    72e6a792 vrfcore!VfCoreRtlAllocateHeap+0x00000016
    71393db8 MSVCR90!malloc+0x00000079
    64d6deb2 AcroRd32_64ca0000!AX_ASRamFileSysSetLimitKB+0x000a4e0a
    6a1d1350 CoolType+0x00001350
    6a1f4f75 CoolType+0x00024f75
    6a1f7c4c CoolType+0x00027c4c
    6a1fe900 CoolType+0x0002e900
    6a1fea4c CoolType+0x0002ea4c
    6a22131e CoolType+0x0005131e
0:000> k
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
0013da98 6a25f0a8 CoolType!CTInit+0x27279
0013db54 6a25f9b2 CoolType!CTInit+0x23784
0013dbc8 6a1dabe7 CoolType!CTInit+0x2408e
0013dc1c 6a1f45fe CoolType+0xabe7
0013dd6c 6a1f9776 CoolType+0x245fe
00000000 00000000 CoolType+0x29776

Notes:

- Reproduces on Adobe Reader X (10.1.12) for Windows, on Windows 7, with 
Application Verifier enabled. We are unable to reproduce on Adobe Reader XI 
(11.0.09) in the same configuration.

- The crash occurs when the user opens the “Thumbnails” dialog on the left 
of the main window.

- The “EBX” register points at the end boundary of a heap allocation.

- Attached samples: signal_sigsegv_f7314fa8_5370_4609.pdf (crashing file), 
4609.pdf (original file).

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without 
a broadly available patch, then the bug report will automatically become 
visible to the public.

Original issue reported on code.google.com by mjurc...@google.com on 30 Oct 2014 at 2:51

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by mjurc...@google.com on 30 Oct 2014 at 5:22

GoogleCodeExporter commented 9 years ago

Original comment by mjurc...@google.com on 31 Oct 2014 at 10:25

GoogleCodeExporter commented 9 years ago
http://helpx.adobe.com/security/products/reader/apsb14-28.html

Original comment by mjurc...@google.com on 10 Dec 2014 at 1:03