Closed GoogleCodeExporter closed 9 years ago
On top of the above out-of-bounds reads, there are also multiple CharString
instructions whose implementation doesn't verify that there is enough room on
the stack to store their output values. This can lead to overwriting up to two
32-bit values before "&op_stk" on the kernel-mode stack.
The affected opcodes are as follows:
1) escape + not (off-by-one)
2) escape + neg (off-by-one)
3) escape + abs (off-by-one)
4) escape + sqrt (off-by-one)
5) escape + index (off-by-one)
6) escape + exch (off-by-two)
All of those instruction sequences follow a scheme of:
1) pop the instruction operand(s) from stack,
2) perform corresponding calculations,
3) push the operand(s) back to the stack.
While as a result they do not change the size of the stack, if the number of
items on the stack is not sufficiently large, memory from before the operand
stack will be used (and modified). The stack-based out-of-bounds write
primitive is potentially dangerous here, but the fact that it is limited to
mostly four bytes (with the exception of the "exch" instruction) and that there
don't seem to be any interesting objects stored directly before the operand
stack array in the ATMFD.DLL builds we have checked mitigates the risk of
successful exploitation.
However, the mitigating factor is purely accidental and may not be present in
future builds of the library, so it's recommended the bugs are treated as
potentially allowing execution of arbitrary code.
Original comment by mjurc...@google.com
on 18 Nov 2014 at 2:56
Original comment by mjurc...@google.com
on 4 Dec 2014 at 4:37
Original comment by mjurc...@google.com
on 11 Dec 2014 at 10:17
Original comment by mjurc...@google.com
on 24 Mar 2015 at 10:06
Original comment by cev...@google.com
on 1 Apr 2015 at 12:11
Original comment by mjurc...@google.com
on 20 Apr 2015 at 2:07
Original comment by mjurc...@google.com
on 12 Jun 2015 at 4:02
Any chance you have a PoC sample lying around that you could attach? Thanks!
Original comment by JZ4vWfJj...@gmail.com
on 18 Aug 2015 at 3:00
Original issue reported on code.google.com by
mjurc...@google.com
on 18 Nov 2014 at 1:41