Adobe Reader X and XI for Windows out-of-bounds read in CoolType.dll

[GoogleCodeExporter]

The following access violation was observed in Adobe Reader X and XI for 
Windows:

(d4c.4c4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0699b912 ebx=00000000 ecx=0699b912 edx=000000ff esi=10d9b913 edi=0699b902
eip=693136d1 esp=1133d918 ebp=1133d988 iopl=0         nv up ei ng nz na pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010287
CoolType+0x536d1:
693136d1 660fb64708      movzx   ax,byte ptr [edi+8]        ds:0023:0699b90a=??
0:014> !address edi+8

Usage:                  PageHeap
Base Address:           0699b000
End Address:            0699c000
Region Size:            00001000
State:                  00002000    MEM_RESERVE
Protect:                <info not present at the target>
Type:                   00020000    MEM_PRIVATE
Allocation Base:        06950000
Allocation Protect:     00000001    PAGE_NOACCESS
More info:              !heap -p 0x5251000
More info:              !heap -p -a 0x699b90a
0:014> k
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
1133d988 00000000 CoolType+0x536d1

Notes:

- Reproduces on Adobe Reader X (10.1.12) and Adobe Reader XI (11.0.09) for 
Windows, on Windows 7, with Application Verifier enabled.

- The “EDI” register points into a reserved PageHeap memory page following 
a regular heap allocation. This implies this is an out-of-bounds memory access 
relative to a heap-based buffer.

- Sometimes several attempts are required to reproduce the case.

- Attached samples: signal_sigsegv_f74f5598_9029_707.pdf (crashing file), 
707.pdf (original file).

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without 
a broadly available patch, then the bug report will automatically become 
visible to the public.

Original issue reported on code.google.com by mjurc...@google.com on 30 Oct 2014 at 3:07

Attachments:

• signal_sigsegv_f74f5598_9029_707.zip

[GoogleCodeExporter]

The original 707.pdf sample is available from Drive: 
https://drive.google.com/a/google.com/file/d/0B0tJqpS3FKtCSlUxWFNsaEQydVE/view?u
sp=sharing.

Original comment by mjurc...@google.com on 30 Oct 2014 at 3:10

[GoogleCodeExporter]

Original comment by mjurc...@google.com on 30 Oct 2014 at 5:22

[GoogleCodeExporter]

Original comment by mjurc...@google.com on 31 Oct 2014 at 10:18

• Added labels: Id-3108

[GoogleCodeExporter]

Original comment by mjurc...@google.com on 10 Dec 2014 at 12:56

• Added labels: CVE-2014-9161

[GoogleCodeExporter]

The vendor communication timeline is as follows:

10/30/14 Vulnerability is reported to Adobe PSIRT.
10/31/14 Adobe PSIRT confirms reception of the reports and assigns internal 
case ID (PSIRT-3108).
12/05/14 Adobe PSIRT informs us that the vulnerability would be fixed in next 
Tuesday's Acrobat and Reader security bulletins, and assigns CVE-2014-9161 for 
the issue.
12/08/14 Adobe PSIRT sends and update claiming that the issue is fixed for 
Windows, but the vendor has been unable to introduce a fix in the update for 
Mac, so the case is kept open until an update is released for Mac.
01/27/15 We send a heads-up to Adobe that the 90 day deadline elapses on the 
next day and we will remove the view restriction.

We have reproduced the crash on a fully updated Adobe Reader for Mac. We are 
currently not aware of any mitigations for the vulnerability.

Original comment by mjurc...@google.com on 27 Jan 2015 at 9:47

[GoogleCodeExporter]

Deadline exceeded - automatically derestricting

Original comment by mjurc...@google.com on 29 Jan 2015 at 12:10

• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

Original comment by cev...@google.com on 9 Feb 2015 at 3:33

• Added labels: Deadline-Exceeded