staticanalysis / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Adobe Reader X for Windows out-of-bounds write in AcroRd32.dll #145

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
The following access violation was observed in Adobe Reader X for Windows:

(ec4.654): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=000000ff ebx=18160385 ecx=179d5000 edx=00000000 esi=00049230 edi=6514eb86
eip=652f7ad7 esp=0012ed58 ebp=0012ed84 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
AcroRd32_64fe0000!CTJPEGRotateOptions::operator=+0xf7e27:
652f7ad7 8801            mov     byte ptr [ecx],al          ds:0023:179d5000=??
0:000> !heap -p -a ecx
    address 179d5000 found in
    _DPH_HEAP_ROOT @ 4a61000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                17a40bfc:         1799e240            36dc0 -         1799e000            38000
    70448e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
    77085ede ntdll!RtlDebugAllocateHeap+0x00000030
    7704a40a ntdll!RtlpAllocateHeap+0x000000c4
    77015ae0 ntdll!RtlAllocateHeap+0x0000023a
    7328a792 vrfcore!VfCoreRtlAllocateHeap+0x00000016
    71473db8 MSVCR90!malloc+0x00000079
    65001e92 AcroRd32_64fe0000!AVAcroALM_Destroy+0x000137c4
    65310f64 AcroRd32_64fe0000!CTJPEGRotateOptions::operator=+0x001112b4
0:000> k
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
0012ed84 652fd1fa AcroRd32_64fe0000!CTJPEGRotateOptions::operator=+0xf7e27
0012ee2c 65310f64 AcroRd32_64fe0000!CTJPEGRotateOptions::operator=+0xfd54a
0012ef2c 64ffdacf AcroRd32_64fe0000!CTJPEGRotateOptions::operator=+0x1112b4
0012ef40 6531211c AcroRd32_64fe0000!AVAcroALM_Destroy+0xf401
0012f344 6557bd45 AcroRd32_64fe0000!CTJPEGRotateOptions::operator=+0x11246c
0012f5c8 650f6046 AcroRd32_64fe0000!PDFLTerm+0x183ac5
00000000 00000000 AcroRd32_64fe0000!DllCanUnloadNow+0xd82a

Notes:

- Reproduces on Adobe Reader X (10.1.12) for Windows, on Windows 7, with 
Application Verifier enabled. We are unable to reproduce on Adobe Reader XI 
(11.0.09) in the same configuration.

- The crash occurs when the user opens the “Thumbnails” dialog on the left 
of the main window.

- The “ECX” register points at the end boundary of a heap allocation.

- Based on the nature of the crash, we can assume it is caused by a heap-based 
buffer overflow condition.

- Attached samples: signal_sigsegv_f6529e93_5762_4873.pdf (crashing file), 
4873.pdf (original file).

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without 
a broadly available patch, then the bug report will automatically become 
visible to the public.

Original issue reported on code.google.com by mjurc...@google.com on 30 Oct 2014 at 2:04

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by mjurc...@google.com on 30 Oct 2014 at 5:22

GoogleCodeExporter commented 9 years ago

Original comment by mjurc...@google.com on 31 Oct 2014 at 10:24

GoogleCodeExporter commented 9 years ago
http://helpx.adobe.com/security/products/reader/apsb14-28.html

Original comment by mjurc...@google.com on 10 Dec 2014 at 1:02