search

telnetgmike / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Adobe Reader X and XI for Windows unmapped memory read in AGM.dll #148

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
The following access violation was observed in Adobe Reader X and XI for 
Windows:

(114c.1f4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0029cff8 ebx=000007ff ecx=0029cf80 edx=321dc2f9 esi=121dc6d0 edi=000007ff
eip=698091ad esp=0029cf28 ebp=00000000 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00050246
AGM!AGMInitialize+0x2e2b1:
698091ad 0fb612          movzx   edx,byte ptr [edx]         ds:0023:321dc2f9=??
0:000> u @$scopeip
AGM!AGMInitialize+0x2e2b1:
698091ad 0fb612          movzx   edx,byte ptr [edx]
698091b0 885001          mov     byte ptr [eax+1],dl
698091b3 8b11            mov     edx,dword ptr [ecx]
698091b5 0fb65201        movzx   edx,byte ptr [edx+1]
698091b9 40              inc     eax
698091ba 40              inc     eax
698091bb 8810            mov     byte ptr [eax],dl
698091bd 8b09            mov     ecx,dword ptr [ecx]
0:000> k
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
00000000 00000000 AGM!AGMInitialize+0x2e2b1

Notes:

- Reproduces on Adobe Reader X (10.1.12) and Adobe Reader XI (11.0.09) for 
Windows, on Windows 7, with Application Verifier enabled.

- The “EDX” register being read from points into an unmapped portion of the 
address space.

- The “EAX” register being written to points to a stack location.

- The crashing function is fairly short: it copies three bytes from one buffer 
to another, and sets the fourth one in the destination buffer to 0x00.

- Attached samples: signal_sigsegv_f77edbae_2787_2872.pdf (crashing file), 
2872.pdf (original file).

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without 
a broadly available patch, then the bug report will automatically become 
visible to the public.

Original issue reported on code.google.com by mjurc...@google.com on 30 Oct 2014 at 2:55

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by mjurc...@google.com on 30 Oct 2014 at 5:22

GoogleCodeExporter commented 9 years ago

Original comment by mjurc...@google.com on 31 Oct 2014 at 10:25

GoogleCodeExporter commented 9 years ago 
http://helpx.adobe.com/security/products/reader/apsb14-28.html

Original comment by mjurc...@google.com on 10 Dec 2014 at 1:02