staticanalysis / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Adobe Reader X and XI for Windows out-of-bounds write in AGM.dll #139

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
The following access violation was observed in Adobe Reader X and XI for 
Windows:

(1230.15dc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=000000ff ebx=00000000 ecx=0c826b50 edx=0c6d0ffd esi=0c6d1000 edi=0017be70
eip=695c4d43 esp=0017bd78 ebp=00000001 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010212
AGM!AGMTerminate+0xf2dcd:
695c4d43 8806            mov     byte ptr [esi],al          ds:0023:0c6d1000=??
0:000> k
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
0017bdec 73144306 AGM!AGMTerminate+0xf2dcd
0017be44 69499a2c BIB!BIBInitialize4+0x50a
0017be48 3b179425 AGM!AGMInitialize+0x2eeb1

Notes:

- Reproduces on Adobe Reader X (10.1.12) and Adobe Reader XI (11.0.09) for 
Windows, on Windows 7, with Application Verifier enabled.

- The “ESI” register points into a heap boundary of a region of size 
0x5c000.

- The crash occurs approximately at the first iteration of a loop, which should 
normally iterate three times.

- Based on the type of memory reference causing the crash, we can assume it is 
a heap based buffer overflow.

- Attached samples: signal_sigsegv_f6529e93_1074_172.pdf (crashing file), 
172.pdf (original file).

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without 
a broadly available patch, then the bug report will automatically become 
visible to the public.

Original issue reported on code.google.com by mjurc...@google.com on 30 Oct 2014 at 1:02

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by mjurc...@google.com on 30 Oct 2014 at 5:23

GoogleCodeExporter commented 9 years ago

Original comment by mjurc...@google.com on 31 Oct 2014 at 10:25

GoogleCodeExporter commented 9 years ago
http://helpx.adobe.com/security/products/reader/apsb14-28.html

Original comment by mjurc...@google.com on 10 Dec 2014 at 1:03