Adobe Reader X for Windows out-of-bounds read in AGM.dll

[GoogleCodeExporter]

The following access violation was observed in Adobe Reader X for Windows:

(1320.12c0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=433f3f80 ebx=0b836534 ecx=00000001 edx=00000102 esi=0b836124 edi=0028e12c
eip=6962cd2d esp=0028d87c ebp=0c29a7bc iopl=0         ov up ei ng nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010a83
AGM!AGMTerminate+0x15adb7:
6962cd2d 8b448500        mov     eax,dword ptr [ebp+eax*4] 
ss:0023:1926a5bc=????????
0:000> !heap -p -a ebp
    address 0c29a7bc found in
    _DPH_HEAP_ROOT @ 5361000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                 bbb0514:          c28e1d8             fe28 -          c28e000            11000
    6bdd8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
    77085ede ntdll!RtlDebugAllocateHeap+0x00000030
    7704a40a ntdll!RtlpAllocateHeap+0x000000c4
    77015ae0 ntdll!RtlAllocateHeap+0x0000023a
    7310a792 vrfcore!VfCoreRtlAllocateHeap+0x00000016
    71473db8 MSVCR90!malloc+0x00000079
    67101e92 AcroRd32_670e0000!AVAcroALM_Destroy+0x000137c4
0:000> k
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
0028d914 6962c006 AGM!AGMTerminate+0x15adb7
0028d91c 6962c02a AGM!AGMTerminate+0x15a090
0028d93c 694a1f7b AGM!AGMTerminate+0x15a0b4
0028d94c 714346fc AGM!AGMInitialize+0x37400

Notes:

- Reproduces on Adobe Reader X (10.1.12) for Windows, on Windows 7, with 
Application Verifier enabled. We are unable to reproduce on Adobe Reader XI 
(11.0.09) in the same configuration.

- The surrounding code operates heavily on floats.

- The direct reason of the crash is an unbounded index number used to address a 
heap allocation pointed to by “EBP”, which is derived from a float number 
in the same loop the SIGSEGV occurs in. The retrieved value is copied into an 
output array allocated from heap, pointed to by “ESI”.

- Attached samples: signal_sigsegv_f795e4d1_5174_4477.pdf (crashing file), 
4477.pdf (original file).

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without 
a broadly available patch, then the bug report will automatically become 
visible to the public.

Original issue reported on code.google.com by mjurc...@google.com on 30 Oct 2014 at 1:28

Attachments:

• signal_sigsegv_f795e4d1_5174_4477.pdf
• 4477.pdf

[GoogleCodeExporter]

Original comment by mjurc...@google.com on 30 Oct 2014 at 5:23

[GoogleCodeExporter]

Original comment by mjurc...@google.com on 31 Oct 2014 at 10:20

• Added labels: Id-3111

[GoogleCodeExporter]

http://helpx.adobe.com/security/products/reader/apsb14-28.html

Original comment by mjurc...@google.com on 10 Dec 2014 at 12:59

• Changed state: Fixed
• Added labels: CVE-2014-8459, Fixed-2014-Dec-9
• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

Original comment by scvi...@google.com on 13 Jan 2015 at 12:25

• Added labels: Reported-2014-Oct-30
• Removed labels: Reported-2014-Oct-2014